PHP code encryption + extended decryption practice

Code encryption + Extended decryption practice

This scheme is implemented by encrypting the code , And then use it C Voice write decryption PHP Expand . It will be more difficult to crack , But it will still be cracked .
I have found various open source solutions for code encryption on the Internet .
Once open source , It is impossible to guarantee security . After all, encryption and decryption are public .
At present, we are not able to write extensions by ourselves . Still need to use open source solutions .
What I found is more useful php-beast.
https://github.com/liexusong/php-beast

The actual battle begins

1. Download the source code
   wget https://github.com/liexusong/php-beast/archive/master.zip

2. decompression
   unzip master.zip

3. Enter the source directory
   cd php-beast-master

4. Modify the user-defined file header header.c

char encrypt_file_header_sign[] = { 0xe8, 0x16, 0xa4, 0x0c, 0xf2, 0xb2, 0x60, 0xee };

1. Modify the default encryption key. The choice here is AES encryption . So modify aes_algo_handler.c file , You can randomly generate string substitutions . It is recommended not to use what I wrote casually during the test key. The deployer remembers to modify this key And save .

static uint8_t key[] = { 0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6, 0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c, };

1. For the security mechanism , We choose to enable the bind network card option . modify networkcards.c file , take MAC Add in the address .

char *allow_networkcards[] = {
   " Replace with a network card MAC Address ", NULL,
};

After enabling the binding network card ,beast The default network card name is eth0, If your network card name is not this , You need to add your network card name to php.ini in . Such as ：beast.networkcard = “eth0,eth1,eth2”.

1. Use phpize Add extensions
   phpize
./configure
make install
   If one step report cannot be found php-config Wrong words , Add... Manually php-config Path compilation .

2. After installation , modify php.ini
   extension=beast.so
   restart php-fpm

Only this and nothing more , Extension installation complete .

Encryption code

installed php-beast The extended , have access to tools In the catalog encode_files.php To encrypt your project . Use encode_files.php Modify before tools In the catalog configure.ini file , as follows ：

; source path
src_path = ""

; destination path
dst_path = ""

; expire time
expire = ""

; encrypt type (selection: DES, AES, BASE64)
encrypt_type = "AES"

src_path Is the path of the project to be encrypted ,dst_path Is the path to save the encrypted project ,expire Is to set the time available for the project (expire The format is ：YYYY-mm-dd HH:ii:ss).encrypt_type Is the way of encryption , Options are ：DES、AES、BASE64. After revising configure.ini After the file, you can use the command php encode_files.php Start encrypting project .

matters needing attention

There are many steps , But they are all command lines . Just type the command .
4,5,6 For safety .
binding MAC After the address , If unbound MAC Address , restart php-fpm Will not start , The error message is NOTICE: PHP message: PHP Fatal error: Unable to start beast module in Unknown on line 0
failed
The generated can only be loaded in the bound network card beast.so Expand .

Deployment and installation method

1. Install the extension on the target machine . After installing the extension, put php-beast-master Delete all the contents of the catalog .
2. On the deployed machine, that is jenkins The directory of extensions installed on the server need not be deleted , Delete it , Remember to back up the 5 Step custom key.
3. Automate script execution during the build phase php encode_files.php Encryption code .
4. Publish the encrypted code to the target machine in the deployment phase .

Advantages and disadvantages

Security ：

1. The customer directly from the target down Down the code , Because the client does not know the encrypted key, Therefore, it cannot be decrypted and read normally .
2. The client from the target machine down Down the code +beast.so Expand , Because binding MAC Because of the address , It also fails to start normally php-fpm Of .
   Basically, basic safety can be guaranteed

shortcoming ：

1. The code execution process needs to be decrypted , There is a slight performance loss .
2. Custom encryption logic , May be difficult . After all C I almost forgot my pronunciation .

A crackable solution ：

Here I only provide ideas , Because the encrypted code needs to be used normally zend Engine parsing , So in the end zend When the engine compiles code through lexical analyzer and parser , The code has been decrypted . That is, on the target machine zend Engine compilation functions zend_compile_file You can get the decrypted code in , You can modify this function , Write the decrypted code to the file in the function , You can get the source code . And we don't need to pay attention to the logic of encryption and the key.
Doesn't that sound ridiculous . If I have the permission of the target machine , It means that I can modify zend The compilation logic of the engine to get the source code . Is this safe ？
Be reasonable , There is no absolute security .
php-beast It was also hijacked zend_compile_file Method , When the code arrives zend Before the engine compiles the function , Complete decryption .
For this type of write extension encryption , With server privileges . The difficulty of cracking may be whether you are familiar with C Voice and zend How the engine works .
Want absolute safety （ Absolute security should not exist ）, It can only be modified zend_compile_file Compilation logic for , That is to change zend The underlying logic of the engine . That is to say swoole complier The way of thinking . however swoole complier It is for the compiled opcode Did something wrong , That is to say zend The engine is executing opcode The decryption needs to be completed before , Or dynamic decryption during execution . I don't know much about it swoole complier The idea of . But what you know is swoole complier It needs people with deep technical background to crack .
It depends on whether it is worth it .

Safer ？

In this case, we can enable two-layer encryption , For the first floor ascii code 127 To 255 Garbled code in the middle PHP Code . The second layer encrypts the garbled code . That is to say, even if they log on to the server and modify zend The parsing function of the engine , What you get is also a mess after confusion . Want to revert to PHP The code will take some time . It just increases the difficulty of cracking , But for the patient , It can still be cracked , It's just a matter of time .