PHP Classes

File: ssm.txt

Recommend this page to a friend!
  Classes of Zubov Ilya   Solace script maze   ssm.txt   Download  
File: ssm.txt
Role: Documentation
Content type: text/plain
Description: Documentation
Class: Solace script maze
PHP source code protection based only on PHP code
Author: By
Last change:
Date: 18 years ago
Size: 8,655 bytes


Class file image Download
Solace Script Maze v1.1 (light edition) (c) Zilav, 2003-2004 <> //================================================================== I'm sorry for all grammar mistakes below, English in not my native language, and I'll try to be short. //================================================================== 1. Introduction 2. Requirements 3. Installation 4. Options 5. Tips 6. Conclusion //================================================================== 1. Introduction //================================================================== Solace Script Maze (SSM) is meant to protect PHP scripts from stealing and modifications. It uses only PHP functions to encode scripts, so NO additional extensions are required to encode and execute protected scripts. SSM uses 'maze' technology - circular encryption of script by random methods desired times. Now exists several similar protection systems for PHP, but they all try to do the same - just to encode your script with some algorithm, possibly using your own key (user password). The main disadvantage of such method is that any experience PHP programmer can easily hack it, like any interpreter language script (it's easy to avoid Javascript protection on web pages, isn't it?). That's why SSM tries to not 'encode' your script, but to 'hide' it inside a 'maze' of different protection procedures. Your own script remains inside protection wrapper unmodified, as is. On every mazing step decoding procedure is morphed (or simply saying uniquely modified) to prevent automatic decryption, thus forcing a possible hacker to do all the job by hands, spending his time (and money as well). And protection is successful when hacking costs are equal to buying. I must admit, that by directly modifying PHP it will be rather easy to decode scripts (PHP open source is headache for protection), that's why SSM optionally supports Turck MMCache and Turck Loader ( which can convert your scripts into precompiled opcodes (like Zend Encoder), and this is almost irreversible. But to execute scripts Turck extension must be installed. SSM was tested with PHP4 and PHP5 on Windows 9X/2K/XP, Linux, Free-BSD and Solaris, but I think will work on other systems as well. This is a light version, it has only a small number of encoders, less protection 'tricks' and weak optimization. It is free for non-commercial use, you can not earn money my mazing scripts. However you can still freely encode your own commercial scripts. SSM Pro version is much stronger, has a nice Windows GUI, but it's not free. //================================================================== 2. Requirements //================================================================== SSM itself and mazed scripts requires PHP 4.3.0 or greater, and is compatible with PHP 5 as well. If you checked Turck option while mazing, then Turck MMCache or Turck Loader extension must be installed. //================================================================== 3. Installation //================================================================== !!! Create and place all protection procedures into ENCODELIB folder !!! SMM must have the following directory structure: ENCODELIB\_bottom.php ENCODELIB\_top.php ENCODELIB\_top_compress.php ENCODELIB\_bottom_turck.php (only for Turck encoding) ENCODELIB\_top_turck.php (only for Turck encoding) ENCODELIB\*.php (several encode libs) index.php (www GUI) index.htm (GUI template) phpmaze.php (maze class) phpmorph.php (morph class) sftemplate.php (template engine class) If you use Turck encoding, then grant phpmaze.php write access in the current folder. Execute index.php in your browser. //================================================================== 4. Options //================================================================== * Custom maze level - specify number of times to maze your script, the more the stronger protection is, but execution will take more time. * Custom morph level - complexity degree of code morphing, or number of times the code is morphed. Affects size of resulting script, do not set too much, 2 is normal. * Master password - you can provide your own password when mazing, and later you can always decode scripts with this password. Pass it as 'unmaze' parameter for protected script: mazed.php?unmaze=mypassword * Compression - protection wrapper has some size, and the more maze and morph level you set, the greater it will become. To reduce resulting size SSM can apply compression on last mazing step. This requires ZLIB functions. All new PHP versions have built-in ZLIB, so you can always use compression. Decompression is very fast, and won't increase execution time. * Self-integrity check - when executed mazed script opens itself (for reading only) and checks CRC to detect hacking. If hack attempt is detected then parse error is simulated. * Client/Server IP binding - you can specify IP addresses or masks to allow execution only for desired clients and/or on desired servers. All other clients will see error message. Mask can contain '*' char (any number 0-255), for example 192.168.0.* * Expiration date/time - script will work only till specified date/time. //================================================================== 5. Tips //================================================================== Here are some limitations for you scripts: * decoding wrapper uses global variables V000-V999, so if you use them or pass variables with the same names from forms with register_globals turned on, there will be conflict. Try to change names or access them through $_REQUEST array. * your actual script is executed with eval(), so __FILE__ constant will contain string "eval'd code", thus constructs such as basename(__FILE__) won't work without special parsing. debug_backtrace() result will also have some slight changes. * SSM parses your script by <? ?> tags, so if you have them inside strings (for example) 'aaa <? bbb', SSM can parse incorrectly. Try to split '<'.'?' or do something else to 'hide' them. You may notice, that decoding time (unmazetest parameter) is quite fast, but remember that it is only for a single script. For example, if you encode 10 scripts, and each one decodes in 0.3 seconds, but the first one includes all others, then total time for this script will be 0.3*10 = 3 sec, and this is not as good as it was before (unmazetest will still show 0.3 sec because it aborts execution and doesn't process other includes). So try to protect only crucial and valuable scripts in large projects, e.g. don't protect public DB layers or template engine files, anybody can always freely download them. It is also possible to protect HTML pages without PHP code at all, just do not encode templates of your template engine (if you use any). I think you understand why. SSM can use your own written encoders for protection, just try to write in similar syntax with other libs (in encodelib folder). table_reorder.php is very nice and simple example template to start from (variable $V001 contains string with char codes 0-255). All encoders are processed with morpher, which has some serious limitations (in light version), that's why try to be as close in syntax as possible. Your own encode methods will make your mazed scripts unique, greatly increasing protection strength. //================================================================== 6. Conclusion //================================================================== I can only advise you to encode any script, and then try to decode it yourself. If you find it easy, then look for a better protection system (also keep in mind that possible intruders might not be so experienced as you, especially if they want to steal your code, and can not write it themselves). Good luck!