Can we encrypt php code?

Welcome to a guide on how to encrypt and hide PHP source code. Need to hide the source code for security reasons? Or maybe a client is not willing to pay in full? Sadly, there are no “smart solutions” to hide PHP code.

It is impossible to totally hide the PHP source code since it is an interpreted language, but there are a few possible alternatives:

1. Use a code obfuscator to make the source code difficult to read.
2. Use a code protector or encoder. Something like an alternative PHP engine, but with the ability to protect the source code.
3. Lastly, compile the PHP code using a converter or virtual machine.

Either way, hiding the source code is not going to be straightforward. I will not recommend doing so, as you might end up wasting time and money instead. But if you really want to do it, this guide will walk you through the possible options – Read on!

QUICK SLIDES

TABLE OF CONTENTS

METHOD 1) FREE PHP OBFUSCATORS

The first alternative is to use one of the many free PHP obfuscators. Just what is an obfuscator? It simply turns the original code into a mess of a seemingly jumbled script that cannot be easily read by humans.

ONLINE OBFUSCATOR

Do a search online for “free PHP obfuscator”, and you will get a number of different services to choose from. One of them is Mobile Fish, which we can copy and paste our PHP code into. For example, when we input the following script:

<?php
$varA = "Hello World";
$varB = "Foo Bar";
$varC = $varA . " " . $varB;
echo $varC;

That will give us a very surprising:

<?php
eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEqtVEvyaiZm94VrsCe8FCG4vG2vvPV+/zb5IqKHJd7pNcjK11MP9z9Yf8W0P5fLPOBQLgf10XqZxXv7Jh6bK7/8//K0ZktMXwmdd/Jqi9bUbsfwXb+7zM6dqGvWBmum9BhBBonvN6B7xmmqDF3HjL8TBAc5FB4pHAZgxYHFutXHARa8oNxgdmB3wSy/gDr4kGG+t5mDdEVqBaI/5AScO5Riz9i3DkLcyil8CUlaqxRTCJCzXTdc24t27J6Zecgao72FI5LrXStDW5DzU6tQdYOOxuW9jJjOC5wu5phBAQjCYyvcxIeaKjqb0tkPCjmcXEb9pfovRY87Hgsyu+YhQ1bNa0MH9yfF80Q2MnhXJYSUcZGLCQxJa/+vLeXBhbcS61ouEOqSrpfpcptYYFmPFd742ydVgPtak3gQIjFBWmE629WsLJLyXba4qaZyvma/olhpRYYuQlWCnLomQdktC9U1zbBDa1jjEtxWYGpUSFMUUGGjfhzpkCBEP+BsJeHJwWtvrykyAcPMh3EyyC2RpYnm3FggGng2lCP0Ukq7RY9aleWW1kosAvd0DX1dO+8JSEiN47otIg48kMyN4xZzetC1cvw2ZtgvIxcVg73ykCux7+5pCvZkWBxqjXU8ZrfIc8EUYQe5Jtyujt1/bnw7nqTn1lkHtHq5ggpnMgstZHs96NaOQhZd4sfk0MKSQV8BFGh3kwrHa0UMEHjUbHD1yBY2O0xjGA2SOxGYA2IJ8B/pM7b612/UDSZ67cMb1SIq/xU5qqluI4Dy+bRHIkbQzim7CSTjHvoDdnY+7A1tdobqtrO7OEW3msUxsVGxGdISXuC3V8zzh6c81ycPbD4VWcfEO7n0TpGmCCfkcZBli5zes58HTZKDRZ3mFmhFkXj5tlsRqfd3Jl4Ylv36oSwMOV7DWaXWqmhr4251tN2SoqGg9eGUpDOUYMGZgeYy0NU3C31E/Ss8IEHTyBzzUmTjzagmNOoefJQFagMV/OzAkISOvlNRUBttq+FxNKIkqRGCZuGb6nRg8Ot6YfONZDn7Hrw828OblLwQ9LMzplHOl39kjn8GFn1wyUxVr87awKekWzk6liQyLAETOmGzguP/Q7u9cvzfig0i2y5urjxhNO8XQwoy5V+ulZ6euoUNY5GmJ5Iv7qgy7XTja2+SIDvEaTdG46Qj0BRB9HtQx/UypNM04Yb5MFSQsEWW/RayG3jY2uCRLmqPP+FIyfQsYWa5n2/JGAY8uVprRUQ56ndo5C3l0XuWtyFGbFHkUEaEaf/A17S83HFV9ztJ8vXv/+zbLiIhL0DtJ0OnK+dO5IaoaTPCg7Ox+8hFb/+Ml8y085NLGkX5s5Pj4XeaQjSOURysaxWEmRy322pUMnJHJ434yXGyoEM5uNzpjgnlY3KrYNOiLdl5HO3hc7ONm0gOLZ9mM26f4wF6jUcJxLbS3ZVrfeAmEfGM0RIE/XuwjXR13Y45S/iaVdIPCD/LtcsnlRuRs2OZijg1aKEhs2o5DdytoEoegoMlFSyKYlReG/sQtPtbf+mrvflqjeI2YRVcbhlwbpBrPh0QVRPE6kUmojx685cx10xD5Hl9Jjk0uxl8vIqI2ct7HCFv4ItrWL5s0WWHzF3QmdtF+L+HrlFYue2kFbcIkWUoRPDxb7GA7ysDAn3dGQwb7Z2MqGjAq720ConcmNPsmva+eP0XA3+Z0YwFim67ogO5YRJE0ydOD6bx8uf0WbKFjyZB4WQnKphyjKsDBv2zUSikl+EeD8WdhEtEPIdUm9sOEq6FXF1WUDuVcMV5ylkoU9JeI2cTcLnExb56DAY1+6tLx+0KZ+T/bSOGfo8qySt6EbZZXu4XBDR8fGhZw+0qvLNtOG5VbYx1QH8NyAEI5kul8l44tG21VlDUYck/R6f2YtkegeLPMxkzONrLhCvWNj7vxV+PP5AyjjbaLS3LBUIyUvhexJ21n1uyebFNfpLyf15NOWCS9LLiRqIUq5BiX0oxA6Abr1fBnDeEPe9VzHwTubtuIHDl8fx+QAzZJXi2ILx8SrnNXi7wOfmtCzAD1zObVwl1ZYZVN+beUDN+sDMLTAT4ZGaeFmixyj/J9THN6YkLboU2f9gLQHEC6XDsQ5qvsAndep0uPE18L1LlN8cqEwoS4EfPKAwa/ub28wyPga0oeifc9PD5aqHu12kz7kBsVkbLvAiLIpXrtlycVCfFkIUUf3sodmjQV5MxCRGAsA5RnT/AzeCPL7zPdot/jGM8lzLbYxzFLrdhan6wfgiF/cvDXPYQgLbBZH+9fkerhLvJ+Ip7OGfqtObPFxsCOEwn/+nIfT9+IuQHavDJoBP0KjtIcCM2N/NzZizUe7A7U9JcTaPI1HCPlvuQfrmu7ZV7/FGSE/rlf9d//Ap9//xc=')))));

Yep, don’t think that is human-readable anymore.

OFFLINE OBFUSCATOR

Most online obfuscators have limitations on the number of characters, so if you have massive scripts, it is better to download and use an offline obfuscator instead. There are a couple of good ones out there, and one that I will recommend is YAK Pro. You can either download it straight from Github or clone it directly – It does require the PHP-Parser library as well.

git clone https://github.com/pk-fr/yakpro-po.git
git clone https://github.com/nikic/PHP-Parser.git

Once you have downloaded both libraries, you can run YAK Pro in the command line to encode your scripts:

D:\http\yakpro-po-master>php yakpro-po.php test.php
Info:   Using [D:\http\yakpro-po-master\yakpro-po.cnf] Config File...
Info:   yakpro-po version = 2.0.3
Info:   Process Mode            = file
Info:   source_file             = [D:\http\yakpro-po-master\test.php]
Info:   target_file             = [stdout]
Obfuscating D:\http\yakpro-po-master\test.php
<?php
/*   __________________________________________________
    |  Obfuscated by YAK Pro - Php Obfuscator  2.0.3   |
    |              on 2019-03-09 09:25:54              |
    |    GitHub: https://github.com/pk-fr/yakpro-po    |
    |__________________________________________________|
*/
 goto LLSso; mh5vK: $EjslL = $ZvlM7 . "\x20" . $c23ok; goto xEHTG; LLSso: $ZvlM7 = "\x48\x65\154\x6c\x6f\x20\127\x6f\162\154\144"; goto uktyA; uktyA: $c23ok = "\106\x6f\x6f\x20\x42\141\162"; goto mh5vK; xEHTG: echo $EjslL;
Info:   [variable      ] scrambled      :        3
Info:   [function      ] scrambled      :        0
Info:   [method        ] scrambled      :        0
Info:   [property      ] scrambled      :        0
Info:   [class         ] scrambled      :        0
Info:   [class_constant] scrambled      :        0
Info:   [constant      ] scrambled      :        0
Info:   [label         ] scrambled      :        4

P.S. I have set Yak Pro to directly output the code in the command line here. But it does accept quite a lot of configuration parameters, and you can specify where to save the obfuscated code to. Please do check out their official webpage for more documentation.

NOTES & LIMITATIONS

• Obfuscators work on the basis of hashing the original script.
• It is still possible to reverse engineer and get back the original script.
• Obfuscated scripts are not good performance-wise. It has to decode the hashed string first, then run eval().
• The level of protection and performance depends on the encoding-decoding algorithm.

METHOD 2) PAID PHP PROTECTORS & ENCODERS

Don’t trust the free PHP obfuscators? Or need something more professional? Then there are a few paid PHP code protectors and encoders available. Be warned though, they can cost quite a lot.

THE PHP PROTECTORS & ENCODERS

• Zend Guard
• ionCube
• PHP Shield

THE BEST ENCODER?

Personally, I have not gone deep into the paid options – They are expensive! But Zend Guard looks good, and even comes with a licensing system… Not a sponsored post, but check out their quick start tutorial if you are interested:

NOTES & LIMITATIONS

The performance of “code protectors” varies, it really depends on how the engine works. Some can be simple obfuscators as above, while a few others might be an “alternative PHP engine”, or “PHP BlackBox extension”… Hence the price.

METHOD 3) PHP COMPILER

This final option might cause some code ninjas to cringe, as it involves compiling PHP code and breaking the “traditional” way of how things work.

INTERPRETER VS COMPILER

A quick recap for you beginners who might have forgotten the difference between interpreters and compilers:

• Interpreted languages: The source code is read and executed “on the fly”. For example, PHP and Javascript are interpreted languages; To run a PHP script on a computer, PHP must be installed first.
• Compiled languages: The source code needs to be compiled into a self-contained executable first. For example, we can create executable files with C++; The executable files can run independently on computers without having to install C++.

NOTES & LIMITATIONS

PHP is an interpreted language “by default” and there is no official way for us to compile PHP scripts. Some of the “PHP compilers” available out there work by converting PHP to another language (such as Java), then compiling it.

In this case, the compiled scripts will officially turn into a standalone executable – No longer readable by PHP engines nor web servers as you might originally intend. So please do take extra note of this aspect, “compiled PHP” scripts are mostly meant for self-contained command-line applications only.

THE PHP COMPILERS

There are plenty of “PHP compilers”, and you can check these out:

• Phalanger
• RapidEXE
• Bambalam
• Roadsend

WHICH IS THE BEST?

It depends on the situation and what you want.

• Free obfuscators don’t perform that well, but they protect the code well enough and cost nothing.
• Paid encoders might not perform that well either, but they do offer a certain level of protection.
• Compilers are not 100% compatible, do not produce website-friendly scripts, but they perform very well… and trying to reverse engineer a compiled script is virtually impossible.

TO ENCODE OR NOT TO ENCODE

It all boils down to your original intention. If you have a million-dollar system, and security is a concern – Then yes, spending some time and money to protect your intellectual property is well worth all the effort.

But if you are facing a problem with non-paying customers, it may still be a good idea to free obfuscate some of the main library files – Don’t waste too much time, money, and let the non-paying customer suffer the performance loss. Keep the full source code and improved performance as a bargaining chip – Just move on with your next project and customer.

THE END

Thank you for reading, and we have come to the end of this guide. I hope that it has helped you with your project, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!