really encoding?


  • Anonymous

    Sorry if this is an estupid question.
    I read from Turck MMCache home page:
    ou can encode PHP scripts using encoder.php in order to distribute them without sources. Encoded files can be run on any site which runs PHP with Turck MMCache 2.3.10 or above. The sources of encoded scripts can't be restored because they are stored in a compiled form and the encoded version doesn't contain the source. Of course, some internals of the scripts can be restored with different reverse engineering tools (disassemblers, debuggers, etc), but it is not trivial.

    Well, what about if someone reads and modifies "loader.c" to make a decoder?
    What about if someone with access to cache directory reads the contents and decodes it (using the material in "opcodes.c"??)


    • Dmitry Stogov
      Dmitry Stogov

      Yes it is possible. In this way hacker can get the zend bytecode of your script, but any programm compiled to native code can be disassembled too.

      It is possible to protect bytecode with some permutations and write executor for it, but if the executor will be an Open Source hackers will can get the bytecode again.

      I think the encoder secure enogh for Open Source programm.

    • rodrigo diaz
      rodrigo diaz

      Why not write an executor based on a password?
      This password can be a #define in a password.h file, so you can modify this password and compile mmcache to use this password. The problem is that only files encoded with this mmcache can be decoded. You must distribute the encoded files and the loader (or mmcache) compiled with this password.

    • George

      just a little more work to the hacker. First he take a look in the loader to discover the password of decrypt, then he do all the job, to get the zend bytecode and convert it again to php.

      If the hacker REALLY want to do something, he probabilly will do, even if you give de source, or give a encrypted program.