March 17, 2012 at 13:27

Educational program by IonCube

    IonCube is a set of command line utilities that allow you to encode, obfuscate, and license the source code written in php.
    The functionality of IonCube is very extensive so that you can write about it in one article. Under the cut, I will describe the main functionality of IonCube, which is necessary to protect the code from non-licensed use.


    List of concepts



    1. Source code coding - a process in which the source code written in php language turns into a set of machine instructions, the reading and decoding of which is as difficult as possible.

    2. Obfuscation - bringing the source code of a program to a form that preserves its functionality, but complicates analysis, understanding of work algorithms and modification.

    3. A license is a special file encoded with a private key that is necessary to run the encoded source code.

    Required Software



    1. IonCube Encoder - a set of binary files for different operating systems, with which you can encode the source code, obfuscate it and generate licenses. Paid software, but you can download the trial version.

    2. IonCube Loader - comes in the form of a .so or .dll library, it is necessary to decode the source code encoded using IonCube Encoder. Free software can be downloaded here .

    Source Code Encoding and Obfuscation



    Depending on the PHP version the code is written for, IonCube Encoder provides the following binaries for encoding and obfuscation: ioncube_encoder, ioncube_encoder5 or ioncube_encoder53
    The format of the command is as follows: Below I will list the main options necessary for encoding and obfuscating the code: --replace-target - option tells the encoder to completely replace the target directory or file, if it already exists, with a new directory or file. For example: --copy @

    ./ioncube_encoder –o [options]





    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target

    - the option tells the encoder to copy the specified file or directory (and all its subdirectories) without encoding its contents. The @ sign indicates that the path to the file or directory to be copied should be sought from the root of the encoded directory. Those. if it was specified to copy the configs directory, then only the configs directory which is in the root of the encoded directory will be copied, and not for example in the sub-category example / configs. An example is the directory where the configuration files are located and which you do not need to encode:

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --copy @configs/

    --ignore @- the option tells the encoder to ignore the specified file or directory (and all its sub-directories), while they are not copied to the resulting directory.

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --ignore @docs/

    --obfuscate- starts the process of obfuscation of the code, as the objects to which obfuscation is applied can be: functions, linenos, locals or all. For example:

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --obfuscate all

    --obfuscation-key “some_unique_key” - a required parameter for obfuscation, which sets a unique key, which makes the process of decoding the code practically impossible.

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --obfuscate all --obfuscation-key "It is unique key :)"

    --with-license- the option tells the encoder that the file should request a license file at startup. The path to the license file will be relative to the file that requested it, so it’s better to simply indicate the name of the license file here, which IonCube Loader will look for first in the same directory as the script that requested the license file, and if it doesn’t find it, it will go recursively up to the top root directory. Thus, the license file can be saved simply in the root directory where your application is installed. For example:

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --with-license license.txt

    --passphrase- a secret key with which files are encoded. Note : the license file must be generated with the same private key. Required parameter if the parameter is used --with-license.

    ./ioncube_encoder unencrypted_folder –o encrypted_folder --replace-target --with-license license.txt --passphrase some_passphrase

    License creation



    Licenses are created using the make_license binary. Command format for creating a license: --passphrase

    ./make_license –-passphrase –o

    - this option sets the secret key, which is used to generate a signature for the license. Attention : the key must match the key that was used when encoding the source code.

    Server License Limit


    --allowed-server [] [@ []] [{}]- this option is used to limit the validity of the license by domain, IP or MAC address of the server for which it is intended.

    Examples.
    1. Domain restriction: The "@" symbol at the end of a domain means that although the domain is similar to an IP address, it should be taken as a domain. Attention : IonCube Loader uses a design to define a domain . 2. Restriction on IP address: Notes: 1. When a coded file is requested through a web server, the IP is checked against the IP that the web server sends. 2. When the encoded file is requested directly, for example, when dealing with php shell scripts, the IP is compared only with the primary IP address of the network interface.
    --allowed-server www.foo.com
    --allowed-server www.foo.com,www.bar.com
    --allowed-server 1.2.3.4@


    $_SERVER['SERVER_NAME']



    --allowed-server 192.168.1.4
    --allowed-server 192.168.1.4,192.168.1.20




    3. You can not specify in the restriction IP address 127.0.0.1

    3. Restrictions on the MAC address. The MAC address must consist of 6 bytes and must be presented in hexadecimal, for example:

    --allowed-server '{00:01:02:06:DA:5B}'

    4. Combination of restrictions. IonCube allows you to combine restrictions, for example:

    --allowed-server 'www.foo.com@192.168.1.1{00:02:08:02:e0:c8}'

    Time Limit


    --expire-in - allows you to specify the period during which the license is valid from the moment of generation. Periods can be set in the following values: seconds (s), minutes (m). hours (h) or days (d). For example: --expire-on

    --expire-in 360s
    --expire-in 20m
    --expire-in 24h
    --expire-in 365d

    - allows you to specify the exact date until which the license is valid. For instance:

    --expire-on 2012-03-20

    Install IonCube Loader



    1. Download IonCube Loader for your OS, it is free.

    2. In the archive you will find two files with the extension .so or .dll for each php version, one of them will have a “ts” postfix, which means that the “thread safety” functionality for this file is active.

    3. In your php.ini, write the path to the downloaded library. For example: Please note that for PHP version less than 5.3, you need to specify the zend_extension_ts directive if you want to use the library with the "thread safety" functionality. 4. Reboot the web server. That's basically all you need to know to protect your code from non-licensed use. You can find more information on the official IonCube website .

    zend_extension = /usr/local/ioncube/ioncube_loader_lin_5.3.so
    zend_extension = /usr/local/ioncube/ioncube_loader_lin_5.3_ts.so
    zend_extension_ts = /usr/local/ioncube/ioncube_loader_lin_5.2.so





    Tags:

    Also popular now: