What does this PHP do? Is it an encoder/decoder?

Asked 7/10, 2010 at 18:57 Answered 7/10, 2010 at 19:4

I don't know PHP at all; this is more of a question of curiosity.

Following the PHP function below in the text file are a few thousand characters of text, such as:

xnEFstUhSNWGSx5zTq4X/AUw/rtism+klrBETWg0xE1uwb49rnRxrgrgY5EEp3Y0uvTcvLqhUFOP
4n7LDLQpQ9UACTyuUjGBKmUScQCYLCP08u06t0K3nWTNiM7Q6bQMk/iZBE+UK1ywbVC1Lzr9OOEK

Does this php function encode the random-looking text into php? Can the encryption scheme be figured out from this?

EDIT: The client says he has full ownership and rights to the code, developed by someone else. How would it be decoded? Does it require a password?

<?php //003ac
if (!extension_loaded('ionCube Loader')) {
    $__oc = strtolower(substr(php_uname(), 0, 3));
    $__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');
    @dl($__ln);
    if (function_exists('_il_exec')) {
        return _il_exec();
    }
    $__ln   = '/ioncube/' . $__ln;
    $__oid  = $__id = realpath(ini_get('extension_dir'));
    $__here = dirname(__FILE__);
    if (strlen($__id) > 1 && $__id[1] == ':') {
        $__id   = str_replace('\\', '/', substr($__id, 2));
        $__here = str_replace('\\', '/', substr($__here, 2));
    }
    $__rd = str_repeat('/..', substr_count($__id, '/')) . $__here . '/';
    $__i  = strlen($__rd);
    while ($__i--) {
        if ($__rd[$__i] == '/') {
            $__lp = substr($__rd, 0, $__i) . $__ln;
            if (file_exists($__oid . $__lp)) {
                $__ln = $__lp;
                break;
            }
        }
    }
    @dl($__ln);
} else {
    die('The file ' . __FILE__ . " is corrupted.\n");
}
if (function_exists('_il_exec')) {
    return _il_exec();
}
echo ('Site error: the file <b>' . __FILE__ . '</b> requires the ionCube 
PHP Loader ' . basename($__ln) . '  to be installed by the site administrator.');
exit(199);
?>

Cubiform answered 7/10, 2010 at 18:57 Comment(3)

looks like the snippet below is trying to load a file......possibly execute it too... yea, it's possible it's trying to decode and execute that garbled text. – Hunt 7/10, 2010 at 19:1

FYI - Depending on location, the client may not have full rights to the code unless it was expressly stated in his contract. In some areas, code ownership stays with the person(s) who wrote it regardless of who commissioned it. If the dev obfuscated the code and didn't provide a non-obfuscated version then s/he probably felt that they owned it. Proceed with caution. If the client truly owns it then they should contact the original dev for a non-obfuscated version... at no additional cost. – Penton 1/11, 2010 at 22:1

If, for some reason, the client feels they can no longer contact the original dev (short of death) to get the non-obfuscated version, then this would be a red flag to me about the potential future relationship with said client. – Penton 1/11, 2010 at 22:3

It's practically ioncube-encoded PHP, or obfuscated if you like. Ioncube is a non-free obfuscated-bytecode execution engine and the ioncube loader is the library which handles the obfuscated code.

Worth to mention that the 'deobfuscator' is a free library, and it's loaded in most of the PHP installations I've seen.

Azo answered 7/10, 2010 at 19:4 Comment(2)

+1 for non-free. ionCube themselves (as well as Zend Optimizer, another obfuscater which has nothing to do with performance) do say they are free, but they're only free as in "no cost", not free as in free software. Those products are advertising themselves as "free extensions" to push users to blame webhosting companies without those extensions. – Rubescent 7/10, 2010 at 19:7

So many answers that are correct, but this one is the highest rated. – Cubiform 17/10, 2010 at 17:47

It's encrypted by ionCube. The ionCube extension will handle the decryption of the code. It's probably possible to decode it by yourself, but check your license agreement with the developer because it's not certain that it's legal to do so.

That part of the code will only check if the ionCube extension is installed on your server. It is not involved in the decryption of the file (I think, it's not easy to read obfuscated code :-)).

Manners answered 7/10, 2010 at 19:1 Comment(2)

Thanks for the input. The client says he has full ownership and rights to the code, developed by someone else. How would it be decoded? With a password and with the Ioncube decoder package? – Cubiform 7/10, 2010 at 19:13

Try searching for an ionCobe decoder. I've heard of sites doing the equivalent for Zend Optimizer but don't know about ionCube. But don't count on getting anything useful out of it because they've probably obfuscated all variables and function names as well, even after you've decoded the string. Try get a hold of the original source code instead, or tell your client that the code is encrypted and can't be changed without doing it from scratch. – Rubescent 7/10, 2010 at 19:59

Here is the code formatted:

<?php
  //003ac
  if (!extension_loaded('ionCube Loader')) {
      $__oc = strtolower(substr(php_uname(), 0, 3));
      $__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');
      @dl($__ln);
      if (function_exists('_il_exec')) {
          return _il_exec();
      }
      $__ln = '/ioncube/' . $__ln;
      $__oid = $__id = realpath(ini_get('extension_dir'));
      $__here = dirname(__FILE__);
      if (strlen($__id) > 1 && $__id[1] == ':') {
          $__id = str_replace('\\', '/', substr($__id, 2));
          $__here = str_replace('\\', '/', substr($__here, 2));
      }
      $__rd = str_repeat('/..', substr_count($__id, '/')) . $__here . '/';
      $__i = strlen($__rd);
      while ($__i--) {
          if ($__rd[$__i] == '/') {
              $__lp = substr($__rd, 0, $__i) . $__ln;
              if (file_exists($__oid . $__lp)) {
                  $__ln = $__lp;
                  break;
              }
          }
      }
      @dl($__ln);
  } else {
      die('The file ' . __FILE__ . " is corrupted.\n");
  }
  if (function_exists('_il_exec')) {
      return _il_exec();
  }
  echo('Site error: the file <b>' . __FILE__ . '</b> requires the ionCube 
PHP Loader ' . basename($__ln) . '  to be installed by the site administrator.');
  exit(199);
?>

It looks like this checks for the ionCube Loader and decodes the encrypted php by various methods if the extension is found. Otherwise, it lets the admin know he/she needs to install the extension.

edit: looks like you formatted the text while I was answering.

Pontifical answered 7/10, 2010 at 19:3 Comment(1)

Just doing you civic duty, haha. – Pontifical 7/10, 2010 at 19:8

According to this site, it is an encoder. I guess it is for code obfuscation.

http://www.ioncube.com/

Hautegaronne answered 7/10, 2010 at 19:2 Comment(3)

It's better than obfuscation because it can't be decoded easily, although some people out there claim to do it for a hefty fee! There's other features of course such as IP/domain limiting, licensing, time expiry, etc... – Bolus 7/10, 2010 at 19:15

Hefty fee? One Google search turned up $15 for one file, and $100 for 10 files... So yeah, it's not dirt cheap, but I wouldn't call that hefty either (unless you had a lot of files to decode)... – Regressive 7/10, 2010 at 20:52

@ircmaxwell - things have clearly got easier then! When I first started using it, it was practically impossible to decode. Food for thought right there! :) – Bolus 8/10, 2010 at 6:15

Yes, it's to encrypt / decript PHP source. You can see at the bottom it refers to ionCube products.

Spontoon answered 7/10, 2010 at 19:0 Comment(0)

Recommended topics

Hot tags