Is there a code obfuscator for PHP? [closed]

Asked 24/10, 2008 at 7:25 Answered 6/12, 2012 at 5:27

227

Has anybody used a good obfuscator for PHP? I've tried some but they don't work for very big projects. They can't handle variables that are included in one file and used in another, for instance.

Or do you have any other tricks for stopping the spread of your code?

Athey answered 24/10, 2008 at 7:25 Comment(11)

Are you sure you need to? – Lamed 24/10, 2008 at 7:32

@StevenA.Lowe: beware of making fun of PHP. :-) – Padang 22/3, 2013 at 19:3

TRY: github.com/… – Forehanded 14/4, 2013 at 17:58

Why would you want to? – Irmgardirmina 6/1, 2014 at 15:27

If you think this should not be closed, then vote to re-open. – Mezzorelievo 5/6, 2016 at 13:58

@NiettheDarkAbsol Because if you create a piece of commercial software, you don't necessarily want to just give the source code away. – Rauch 23/6, 2017 at 22:54

Stackoverflown are running by spoiled kids. This is a fact! – Unsustainable 8/2, 2018 at 12:47

This question must re-open. This is a valid question – Avaavadavat 28/7, 2018 at 2:22

Good questions have a right answer. The only right answer to "do you have any other tricks for stopping the spread of your code?" is "yes"; it's not a good question. This is however a good prompt for a wiki page titled, "Tips and Tricks for Protecting PHP". – Cyrillus 3/10, 2018 at 17:44

github.com/pk-fr/yakpro-po is the best i found – Scenario 26/10, 2018 at 10:12

I don't see a way to vote to re-open, just the usual way to upvote, which I've done. There is nothing wrong with engineers giving opinions on products to other engineers! – Marj 14/11, 2018 at 14:13

254

You can try PHP protect which is a free PHP obfuscator to obfuscate your PHP code.
It is very nice, easy to use and also free. EDIT: This service is not live anymore.

As for what others have written here about not using obfuscation because it can be broken etc:
I have only one thing to answer them - don't lock your house door because anyone can pick your lock.
This is exactly the case, obfuscation is not meant to prevent 100% code theft. It only needs to make it a time-consuming task so it will be cheaper to pay the original coder.

Zettazeugma answered 26/2, 2011 at 16:40 Comment(9)

+1 for pointing out the fact that obfuscation is about making it Harder, not impossible. – Gulgee 27/9, 2011 at 14:19

take note that encrypting your source code instead of obfuscating it doesn't make it impossible to decrypt either, its just really hard to do so. – Bouie 24/7, 2012 at 19:17

Tried it, but did not like it. It only change variable names, it does not neither remove comments.. – Moonshine 13/9, 2012 at 6:45

I remember this software it clean my all hard drive. Never choose source like d:\ :) – Forehanded 25/10, 2012 at 4:9

@Schwern, Leave your door unlocked then hire Columbo and a really good lawyer, to cover yourself ;) – Delphinus 9/1, 2013 at 12:0

Php Protect is not a good program. It's showing some errors. – Reprise 13/11, 2015 at 11:53

@David Newcomb - Who wants to pay a really good lawyer when you can just lock the door? – Inseparable 7/6, 2017 at 20:49

PHP Protect does not obfuscate function names. Since it removes comments instead of replacing them with nonsense text, the result is not very hard to understand. It doesn't seem to do much more than blank out comments and use meaningless variable and constant names. And it claims to be "flawless". ADDED: their contact page uses a non-functioning CAPTCHA, so they cannot receive problem reports. – Marj 14/11, 2018 at 18:20

Don't click the link, it leads to the phishing website now. I guess the domain was repurchased... – Expiry 13/3, 2019 at 11:36

114

People will offer you obfuscators, but no amount of obfuscation can prevent someone from getting at your code. None. If your computer can run it, or in the case of movies and music if it can play it, the user can get at it. Even compiling it to machine code just makes the job a little more difficult. If you use an obfuscator, you are just fooling yourself. Worse, you're also disallowing your users from fixing bugs or making modifications.

Music and movie companies haven't quite come to terms with this yet, they still spend millions on DRM.

In interpreted languages like PHP and Perl it's trivial. Perl used to have lots of code obfuscators, then we realized you can trivially decompile them.

perl -MO=Deparse some_program

PHP has things like DeZender and Show My Code.

My advice? Write a license and get a lawyer. The only other option is to not give out the code and instead run a hosted service.

See also the perlfaq entry on the subject.

Cyclops answered 24/10, 2008 at 7:36 Comment(23)

I would like to echo Schwern's comment about not being able to fix bugs and make modifications. If you're planning on selling/supporting your software, the obfuscation will just make your life hell as you'll be really limited in any sort of debugging you can do on a live server. – Qualmish 26/10, 2008 at 1:11

I mostly agree with you, but the OP asked for a product recommendation, not a lecture on the merits of open source. – Riki 2/12, 2008 at 22:50

Has nothing to do with Open Source, which is about mashing up the code not just being able to see it. The reality is that any code or data which runs on a user's machine is ultimately transparent no matter how you compile or obfuscate or encrypt it, full stop. The OP needs to understand that. – Cyclops 7/12, 2008 at 5:50

@JamShady: Obfuscation does not mean you can't fix bugs or make modifications. If you stupidly obfuscate the source code, throw the original away, and insist on maintaining the obfuscated result, yes, you won't be able to do anything. Good obfuscators insist you retain your code and the mapping to the obufscated result; you can debug/modify your original code, ship obfuscated patches to your customers, and even diagnose his problems by using the map to convert obfuscated complaints back into readable ones. He doesn't have the map, which makes this safe. – Mezzorelievo 3/7, 2010 at 16:50

Question:How, Answer: You shouldn't = not helpful – Compressed 15/7, 2011 at 15:30

@Compressed I'm confident plenty of people will directly answer the question, so there's no loss with my taking a different tack. Half the point of asking an expert is they know when you're asking the wrong question to solve the real problem. This is an application of the "5 Whys". en.wikipedia.org/wiki/5_Whys The real problem/question is "how do I stop people from being able to read/steal my PHP code". The answer is if you ship the code you can't, but you can waste a whole lot of time and money trying and gain a false sense of security. Wasn't that more helpful than a list of obfuscators? – Cyclops 15/7, 2011 at 18:48

@Schwern: The 5 whys is an interesting read. However, can one get all the context right to find the root cause from a single question? – Compressed 19/7, 2011 at 21:25

@Compressed Because the OP's question is so commonly asked and it always turns out the same way. If "I need an obfuscator" isn't immediately followed by "and I understand that obfuscators cannot actually stop a mildly dedicated attacker" then I'm pretty sure they haven't thought it through. I could spend a bunch of time going back and forth with the OP asking each why and getting back the expected response just to be sure... or I can save us all a bunch of time, take a leap of logic (a short hop in this case) and skip to the end. – Cyclops 20/7, 2011 at 18:24

@Schwerm: Fair enough. My humble opinion for a best practice for this situation: Question:Unqualified-How. Answer: Here's how + Beware. – Compressed 24/7, 2011 at 9:25

How can you effectively enforce your license once you have it? Bringing in the lawyers is usually the last resort. I would imagine obfuscating your code to prevent license infringement is cheaper and more effective than having to rely on paying your lawyer every time. Also, relying on your lawyer means that you require knowledge of the infringement. If I can do nothing and have 40% infringement, license/lawyer for 20% infringement, or license/lawyer/obfuscate for 5% infringement, then I'd probably choose the latter option. Regardless, this is all off topic for the question asked by OP. – Giblet 17/11, 2011 at 0:9

Great! Just give some spaghetti code and the problem is over! – Psychobiology 24/11, 2011 at 1:8

@Schwerm: I've been thinking long and hard about whether or not code obfuscation is a waste of time, and I have come to the conclusion that it is not. Please kindly nullify the following argument if you can. – Compressed 13/12, 2011 at 0:6

@Compressed Error: following argument not found. – Cyclops 16/12, 2011 at 20:3

@Schwerm: Whoops, thought I deleted that comment for more thinking. Here goes the (WIP) argument.Code obfuscation can actually remove information from code by replacing high level structures with low level structures. That, combined with that the programmer's intentions are already not always obvious from the code he wrote, can push the difficulty of reverse-engineering from the obfuscated code beyond the point where it is easier to reverse-engineer from user experience, at which point the obfuscation would be successful. – Compressed 17/12, 2011 at 0:37

@Compressed I agree about the cost/benefit, but is obfuscation adding nearly the cost you think? Compilers do the obfuscation you talk about as a side effect, and there's been decades of work on attacking compiled code. The attackers often have modes of attack which make obfuscation moot. For example, if I want to know all the I/O a program is doing I can use a tool like strace. There's only so many ways you can prevent someone from running your code, usually it involves a secret key and/or network handshake. Finally, once one person posts how to break your security the cost is gone. – Cyclops 17/12, 2011 at 5:16

@Schwerm: But take a custom hash algorithm; looking at the contents of a function aKhlqj('foobar') and finding out it is a sha-256 with custom initialization constants will absolutely take more time than taking a glance at the call sha256_variant_with_custom_initialization_constants('foobar'). How much longer, and for whom, and whether it's worth it in that case does not seem to have a general answer. Which is kind of my point: Obfuscation is not inherently a waste of time, only when you want to use it without thinking as a feel-good-feel-safe shortcut. – Compressed 17/12, 2011 at 13:58

@Compressed The OP had a specific scenario: they wanted to stop the spread of their code. Wanting to obfuscate as a solution is a red flag that there is a XY problem. The OP wants X. They think Y will solve it. They ask about Y instead of X. We waste a bunch of time on Y when it's a poor solution to X. If you can figure out what X is, you can save everybody a lot of time and frustration. In a deleted answer, the OP revealed they're on a shared server. The very simple solution to their X is to get a private server! – Cyclops 19/12, 2011 at 6:48

I do in fact believe that server side obfuscation has it's merits. Warped code is a small deterrent, but one nonetheless. If you detect a server breach the obfuscation could save your ass while you push an emergency patch, or lock up the database, etc. No, obfuscation alone will not keep you safe - but security comes in layers and obfuscation are the maggots in the cake. – Splatter 26/8, 2012 at 22:1

"just makes the job a little more difficult"... Yeah! Thats what is going on. – Phytogeography 12/11, 2013 at 8:12

I want to obfuscate my open source security program only to make it harder for malicious users to misuse it. I intend to make all my algorithms public, just not the code. By giving malicious users an up-front obstacle, I give them a hint right away that it will take a great deal of work on their part to break this program and misuse it. – Marj 14/11, 2018 at 14:41

@DavidSpector That might be the hint you're trying to give, but the real hint you're giving is security naivete. Deobfuscators are freely available. And it's not Open Source if you only provide obfuscated source! Why don't you post a link to your obfuscated source here, or maybe somewhere like Redit, and see how it stands up to public scrutiny? – Cyclops 14/11, 2018 at 15:52

Schwern or Schwem, I disagree with you. Changing identifiers makes the meaning of code much harder to understand. I have searched for an obfuscator at a reasonable price and cannot find one, so I have started to create my own (I'm a retired engineer). I will post examples here if I find the project doable. I will be very interested in your feedback. And my security program is not open source; another program is. And just so you know, the algorithms for a good security program must be made public to assure users that they are indeed secure. This is not the same as the open source question. – Marj 14/11, 2018 at 22:21

@DavidSpector Well, good luck! I hope it's a fun project. Do let us know when you've got your obfuscation done. And yes, my name is a kerning challenge. :) – Cyclops 14/11, 2018 at 22:47

Nothing will be perfect. If you just want something to stop non-programmers then here's a little script I wrote you can use:

<?php
$infile=$_SERVER['argv'][1];
$outfile=$_SERVER['argv'][2];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);

Sterilize answered 23/9, 2010 at 18:20 Comment(3)

Awesome? Every page comes with the complete solution to getting the source: run "gzuncompress(base64_decode($a))". Yes, this will stop non-programmers. But then the original source code will stop non-programmers, who needs encoding for that? The only person who is going to look at this intending to reverse engineer it is a PHP programmer. – Mezzorelievo 10/8, 2013 at 14:55

Most of the time non-programmers try by search some strings in source code that they want to change, i am also looking for such a solution that only stop non programmers from change in source code e.g. domain name, database name, users etc. – Bisexual 18/11, 2015 at 16:24

This is a very helpful answer for me. I'm only interested in preventing the user from easily opening my "database.php" in notepad and seeing my database username and password. – Capacitor 16/12, 2015 at 0:26

I'm not sure you can label obfuscation of an interpreted language as pointless (I'm unable to add a comment to Schwern's post, so here goes a new entry).

I think it's a little shortsighted to assume you know all the possible scenarios where someone would like to obfuscate code, and you assume that anyone will actually be willing to go to whatever necessary lengths to view that code once obfuscated. Consider my current scenario:

I work for a consulting company that is developing a large and fairly sophisticated PHP-based site. The project will be hosted on a client's server that is hosting other sites developed by other consultancies. Technically any code we write is owned by the client, so we can't license it. However, any other consultancy (competitor) with access to the server can copy our code without getting permission from the client first. We therefore have a genuine reason for obfuscation - to make the effort required for a competitor to understand our code more than the effort of creating a copy of our work from scratch.

Bleeding answered 5/3, 2011 at 0:48 Comment(0)

See our SD Thicket PHP Obfuscator for an obfuscator that works just fine with arbitrarily large sets of pages. It operates primarily by scrambling identifier names. With modest to large applications, this can make the code extremely difficult to understand, which is the entire purpose.

It doesn't waste any energy on "eval(decode(encodedprogramcode))" schemes, which a lot of PHP "obfuscators" do [these are "encoder"s, not "obfuscator"s], because any clod can find that call and execute the eval-decode himself and get the decoded code.

It uses a language-precise parser to process the PHP; it will tell you if your program is syntactically invalid. More importantly, it knows the whole language precisely; it won't get lost or confused, and it won't break your code (other that what happens if you obfuscate "incorrectly", e.g., fail to identify the public API of the code correctly).

Yes, it obfuscates identifiers identically across pages; if it didn't do that, the result wouldn't work.

Mezzorelievo answered 7/5, 2010 at 2:38 Comment(7)

From what I can tell this is an EXE that runs under Windows only? At least the eval is a .exe file... – Rositaroskes 31/12, 2014 at 19:24

The eval file is a .exe-based installer. The complicated truth is the installed product usually runs from a .cmd script because there's a parallel programming language underneath it, but you'll never see that. It was designed as primarily a Windows product; however, if you install it on Linux with Wine, it will run with .sh scripts that are installed with it as though it were a native Linux tool. If you use the GUI portion (optional, most people want to run it as a script in a production build process), it uses the native Java on Windows, and the native Java on Linux. – Mezzorelievo 31/12, 2014 at 19:52

Is it true that Thicket requires addon to the hosting space? If yes, how does that get installed on a shared hosting? – Beast 27/4, 2016 at 16:5

@StephenAdelakun: Thicket requires no changes to the server. Download it and check the documentation. – Mezzorelievo 28/4, 2016 at 2:21

Thicket is $200, and based on their website I see no advantage over a free obscuration program that would be worth this cost. I am an independent software engineer and cannot afford this kind of expenditure. – Marj 14/11, 2018 at 14:45

@DavidSpector: Without actually trying it, you might not find why it is a reliable tool for handling small and large websites. You can download and try it for free. – Mezzorelievo 14/11, 2018 at 16:15

@Ira Baxter: I assume it is reliable and complete, at that price. However, if I have to, I can take several days to write a program to parse enough of PHP to remap function and variable names and a little more of the obvious stuff, and this is the basis of obfuscating very nicely. Then maybe I'll become a competitor of yours, at considerably less than your ridiculous $200 price tag. – Marj 14/11, 2018 at 17:33

The best I've seen is Zend Guard.

Fatherless answered 24/10, 2008 at 7:30 Comment(9)

The SD PHP Obfuscator is just as good, and costs about 1/5th. – Mezzorelievo 4/9, 2009 at 4:15

@SalmanPK And the reason for that is supposed to be obvious? – Spite 15/5, 2012 at 11:40

@SalmanPK It requires an addon to the web hosting space. Zend Guard probably does too. Not sure which is the most mainstream. Anyway, problem is that it cuts down your potential audience. – Jochebed 9/8, 2012 at 2:37

SD's PHP Obfuscator converts all to lowercase. That'll be a problem if you're using a framework. – Mockup 12/3, 2013 at 5:5

The downside is that it's expensive. – Howardhowarth 4/4, 2014 at 8:4

@AmilWaduwawara: What specific entities do you think are lowercased? Can you show a specific problem with such lowercasing? – Mezzorelievo 5/6, 2016 at 14:2

@JamesPoulson: It is unclear if your remark is pointed at the SD PHP obfuscator. Just to be clear, it does not require any addon to the web hosting space. – Mezzorelievo 5/6, 2016 at 14:3

@AmilWaduwawara: Wouldn't you only be looking at the unobfuscated code in your IDE? How would that affect a framework? – Hillyer 17/5, 2018 at 10:49

Zen Guard STARTS at $600 PER YEAR. Now I'm really inspired to write my own. – Marj 14/11, 2018 at 17:36

Try this one: http://www.pipsomania.com/best_php_obfuscator.do

Recently I wrote it in Java to obfuscate my PHP projects, because I didnt find any good and compatible ready written on the net, I decided to put it online as saas, so everyone use it free. It does not change variable names between different scripts for maximum compatibility, but is obfuscating them very good, with random logic, every instruction too. Strings... everything. I believe its much better then this buggy codeeclipse, that is by the way written in PHP and very slow :)

Chophouse answered 26/3, 2010 at 21:42 Comment(12)

Looks good... but is it secure? I mean, can others decrypt it easily? – Bookstall 21/1, 2011 at 10:50

I can assure you that by this moment NOBODY can de-obfuscate the code obfuscated by this obfuscator. – Chophouse 23/1, 2011 at 9:56

[citation needed] - homebrew encryption is security through obscurity, which is no security at all. – Penalize 20/7, 2011 at 15:50

pipsomania apparantly replaces some variables names by names obfuscated as ${GLOBAL[<randomstring>]}, which isn't much differnt than replacing those variable names with $<randomstring>, except that it slows down code execution. But it doesn't obfuscate function names, class names or member names. It adds some extra assignment statements but they don't seem to be anything except extra assigment statements. – Mezzorelievo 30/7, 2011 at 23:9

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in ..... Line 1 o_O – Psychobiology 24/11, 2011 at 0:52

"I can assure you that by this moment NOBODY can de-obfuscate the code" Even PHP? If PHP can do it so can someone else. Looking as the sample code on your site, somewhere you'll have an eval statment that dumps the code out, change that to an echo and you're code will be displayed. – Tarahtaran 28/2, 2012 at 15:44

No, it's not secure. With a little bit of code you can reverse it. I don't want to release the code for reversing it because it would be disrespectful to the author. But, I also do want to caution to someone that if they really really really intend for their code to be secured by this tool, it won't do it. – Bitt 8/11, 2012 at 0:36

Scott Herbert: You are talking automatically my friend, why so? First find a place in the code processed by this obfuscator, where you can dump the code by "an echo", and then talk. Not the other way around. – Chophouse 26/11, 2012 at 11:29

@PatlaDJ: indeed there is no need for an eval. Just looking at the sample code in your webpage I can read "GlobalLS" and "Timeofstartt" with the naked eye. It would take no time to write a short script to decode that code. I agree that in a big project just assigning random names to variables and mangling the indentation is a decent level of obfuscation, but your algorithm doesn't look like it goes beyond that. – Picofarad 18/3, 2013 at 8:57

WARNING: This method can be trivially decoded back to the original variable names, see: lombokcyber.com/en/detools/decode-pipsomania – Tallinn 22/11, 2016 at 18:45

@Chophouse Its nice, Would you please clear about requirement to use it like minimum PHP version, any encryption extension enabled required or not etc etc? – Murtagh 24/5, 2017 at 5:16

Dead link! "The requested URL /best_php_obfuscator.do was not found on this server." – Marj 14/11, 2018 at 17:39

Thicket™ Obfuscator for PHP

The PHP Obfuscator tool scrambles PHP source code to make it very difficult to understand or reverse-engineer (example). This provides significant protection for source code intellectual property that must be hosted on a website or shipped to a customer. It is a member of SD's family of Source Code Obfuscators.

Micropathology answered 6/12, 2012 at 5:27 Comment(14)

TrueBug.com is unreachable. I know I am posting comment after more than 3 years, but can you please help with new url of trueBug, if any? – Beast 8/3, 2016 at 10:51

@StephenAdelakun Do you only need TrueBug? Use this: TruBug PHP Obfuscator. – Micropathology 8/3, 2016 at 11:1

Sorry, the link is not working. Or am I missing something? – Beast 8/3, 2016 at 23:2

@StephenAdelakun I just checked now, it works. – Micropathology 9/3, 2016 at 10:18

Yeah, the link is working but can't download anything. Just links and links...in circles. – Beast 13/3, 2016 at 22:41

@StephenAdelakun Why only that? :( That's dead software anyway. There are better and awesome ones now right? – Micropathology 13/3, 2016 at 22:54

I really love to have an awesome PHP obfuscator freemium or premium. I only need to be dead sure of the quality before paying. And I need guide, an authority, to make that decision. That is why I am here, searching. – Beast 13/3, 2016 at 23:5

@StephenAdelakun Then give me a day. I will find out the best one for you and give it to you for free. :) – Micropathology 14/3, 2016 at 5:50

Hello @Praveen, I have waited for weeks. Do I look elsewhere? I know you may be busy, but can you still squeeze me into your programme? – Beast 6/4, 2016 at 13:21

Not everyone can afford $200 for a tool that gives only false reasons why it's better than a free obscuring program. – Marj 14/11, 2018 at 14:47

@DavidSpector Sorry mate, can't find anything that's open source and great! :( – Micropathology 14/11, 2018 at 17:55

@StephenAdelakun Sorry mate, can't find anything that's open source and great! :( – Micropathology 14/11, 2018 at 17:55

Okay, I've started to write my own. I'll announce it here if I find the project doable. – Marj 14/11, 2018 at 21:41

@DavidSpector It would be awesome!!! I am waiting too. I can contribute if you need... :) – Micropathology 14/11, 2018 at 22:48

Using SourceGuardian is good as it comes with a cool and easy to use GUI.

But be aware:

Pay attention to its -rather funny- licensing terms.

You are only allowed to run 1 per machine -so far this is acceptable
If you want to run the command line interface on another machine, say your web server, YOU WILL NEED ANOTHER LICENSE (Yes, it's funny and I can hear you laughing too).

Hullda answered 28/11, 2012 at 19:41 Comment(5)

That seems normal to me! 2 machines = 2 licenses! Usually what people do is encode it all on one machine, then upload it to the other(s). – Delphinus 9/1, 2013 at 11:56

@davidnewcomb you do not seem to get the point. You usually encrypt code on your dev machine before shipping it. In case you need to do it online the command line interface also requires an additional license, which is obviously not right. You tend to put the command line interface on the web server and not on your local box. – Hullda 9/1, 2013 at 17:41

TL;DR good protection, stupid licensing terms. – Hullda 9/1, 2013 at 17:42

Should be 1 license per user, not per machine. – Marimaria 20/1, 2015 at 15:8

@Marimaria Totally agree! – Hullda 20/1, 2015 at 21:21

-20

Obfuscation is only adding another layer of potential bugs and security vulnerabilities to your program. Please don't do it.

The kind of people who write obfuscation software usually seem very sketchy and non-skilled anyway.

If your code is "great", crackers will go through great lengths to spread it, regardless of whether or not it is obfuscated. If nobody knows/cares about your code, they probably won't, either.

Roderickroderigo answered 7/5, 2010 at 2:59 Comment(13)

Nonskilled? Based on what evidence? I write them. Check my bio before you go making sweeping generalizations. semanticdesigns.com/Company/People/idbaxter – Mezzorelievo 11/5, 2010 at 0:29

@Ira: My statement still holds. Most obfuscated code can be broken within minutes. I specifically meant, most people who do it are unskilled, not all. First thing that came to mind was Ioncube, and surely enough, it had a vulnerability published: osvdb.org/show/osvdb/41708. Then again you could probably partially blame that on PHP's obscure security requirements. – Constanceconstancia 11/5, 2010 at 2:16

OK, you are suggesting that people don't use bad products, or those designed by non-skilled people. Hard to disagree with this. – Mezzorelievo 3/7, 2010 at 16:47

Nope, I'm suggesting that obfuscation is harmful because it decreases my confidence that a program I'm using works and it massively increases the chance of introducing security vulnerabilities; not something we need more of in today's systems. I really doubt a company's profit is largely influenced by whether or not they use obfuscation. – Constanceconstancia 2/10, 2011 at 16:25

Obfuscation, if done with a reliable tool, changes nothing about the reliability of a program. Binary compilation is a kind of extreme obfuscation, and yet I'd guess you are confident that Zend's PHP engine is reliable. (Obfuscation or compilation done with bad tools shouldn't count). – Mezzorelievo 2/10, 2011 at 19:12

How can an obfuscater have no bugs? If such a tool exists, the deobfuscation process would be trivial. Most obfuscators I've seen completely change the semantics of the application as well as introduce arbitrary restrictions. How can you even obfuscate PHP when the language is unspecified and all kinds of code exists on undocumented/built in library language features? I have trouble even seeing how you can do alpha conversion in PHP without screwing up the user's code or restricting what they can do in some way. – Constanceconstancia 6/10, 2011 at 1:53

On a side note, "Binary compilation is a kind of extreme obfuscation". Is exactly correct. For example, the only rationalization of the JVM bytecode is for obfuscation, they could have easily designed an arhitecture that allows end users to have code automatically compiled from source and cached, or have a progressively optimized compiled code cache with time, etc. Now we have the nonsense problems caused by bytecode incompatibilities with proposed features and Dalvik, etc. – Constanceconstancia 6/10, 2011 at 1:57

"How can you obfuscate PHP when the language is unspecified...?" If you are going to ask that question, how can you run any PHP program regardless of whether it is obfuscated or not? Obfuscation isn't the issue in that case, so you shouldn't be hanging that problem on obfuscation. Whether you think so or not, lots of people (e.g., FaceBook) think PHP is well enough defined. And if it is, then you can define an obfuscator well enough. – Mezzorelievo 6/10, 2011 at 4:40

OMG. Mostly I agree with all of the parties. Obfuscated code could be easily deobfuscated - but only when You know it is obfuscated and know what to do to deobfuscate it. Normally I don't even think about obfuscating of my work, but consider You are working on a project for a client that don't want to pay "extra license" but still want to own the source code. In that way I'll consider obfuscating of that code - client will own it but couldn't re-use/understand/read it. And if that client doesn't understand programming he could hardly realize that this code is "just" obfuscated...[next comment] – Cabalistic 22/11, 2011 at 16:19

This can also be used in the situation when I want make the client to ask me for any changes, new functionality, etc., without asking a third-party. [hawk] – Cabalistic 22/11, 2011 at 16:22

anyone with half a brain knows that php is struggling (read "non existant") in the real world enterprise software market becasue it's not obfuscated on the and asp.net is. I am so sick of weak minded evangelists saying anything else. (and yes, that's what willful ignorance is) Open Source has been out too long and been tried and found wanting too often for there to be any other conclusiogn than this: hobby? Open Source. Job? Encrypt. Only fools/idiots/people who live in a bubble/have a rich pater can ever ever ever ever EVER think different. – Continue 17/3, 2012 at 16:58

That comment is almost incomprehensible to me, but it seems to be implying that it makes no sense to sell open source software or software that builds upon open source software. In case you didn't notice, Java is "enterprise", open source, and just as successful as that .NET thing. my company makes millions of dollars, and we never had to use obfuscation. Ask yourself this: what good is selling software if you can't support/improve it (i.e: you just cracked someone else's software and resold it)? – Constanceconstancia 31/3, 2012 at 0:32

Well I guess Longpoke has a point. In some cases its not good to obfuscate, and in some cases it is. – Howardhowarth 31/3, 2014 at 12:9

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags