(Back to index)

PHP "encryption" scam

I once stumbled across a website that purported to offer a toolset to encrypt PHP files so that they could be distributed to customers without the fear that they would steal the source code. The website boasted that the system used "ten levels of encryption" to make it extremely difficult to crack.

Now, anybody who has even the slightest inkling of how PHP works should immediately be suspicious about this. After all, PHP is an interpreted scripting language (this was several years ago, and at least at the time it was not possible to byte-compile PHP for a "binary" distribution). This means that the PHP interpreter (usually a web server) needs to see the original source code in order to execute it. Such interpreters do not support any kind of "encryption" (and even if they did, it would be very hard to enforce because at some level the interpreter needs to see the source that it will parse and interpret).

If that would have been all the site explained about their tool, it would have just been a curiosity. However, they stupidly offered a sample of what an "encrypted" PHP file would look like after running it through their tool.

Did the source code contain a really complicated set of high quality encryption schemes, using state-of-art encryption algorithms, and extremely hard-to-decipher decryption? No. What their tool produced was code like this:

eval(base64_decode("(a bunch of base64-encoded characters)"))

I'm not kidding. Their "encryption" consisted solely of base64-encoding the source code and putting a "eval(base64_decode())" call around it. (And no, the original source code was not modified in any way by this tool. After decoding, the exact original source code was produced.)

And their "ten levels of encryption"? Well, in fact when that string was decoded, it produced another "eval(base64_decode())" command with a different base64-encoded string. Decode this ten times, and you get the original PHP source code.

The above isn't even an encryption. It's a slight obfuscation of the source code. What's worse, the way to de-obfuscate it is right there at the beginning of the code. (Of course it's there so that the PHP interpreter will know what to do with the string. However, a human can read it just equally well.) Their "ten layers of encryption" do absolutely nothing useful other than making the PHP file significantly less efficient (and causing the "hacker" to have to write a loop to "break" the "encryption").

Yes, I'm completely serious. They were really offering a tool to do the above to PHP source files. This is the most idiotic "encryption" I have ever seen, and this was being sold to companies for actual money.

The website even acknowledged somewhere that their "encryption" is not unbreakable. (Of course they didn't hint at how easy it is to break. Heck, it's not even "easy"; it's laughably trivial. Even someone who has never even heard of PHP would be able to break this, at least if he has even the slightest experience with scripting languages.) Their solution to this minor problem? Imposing copyright on the source code.

Well, duh. They could just impose copyright on the original, skip this ridiculous tool altogether, and have exactly the same amount of protection. This "tool" is completely useless. If someone wanted to steal the source code, they would probably know at least the very basics of PHP and immediately figure out how to decode their slight obfuscation.

And they were selling this. For money.

If this is not fraud, I don't know what is.

(Back to index)