Announcement

Collapse
No announcement yet.

Why don't vBulletin zend their php scripts?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • merk
    replied
    Originally posted by Wayne Luke
    No it doesn't it encodes the PHP to bytecode. Bytecode, is a state between code and fully compiled machine language.

    The PHP engine works by taking your code and compiling it into Bytecode before processing. This is often referred to "Just In Time Compiling". It is how .NET and Java work as well. When you use an encoder such as Zend Encoder or IonCube, it compiles the PHP to Bytecode and stores it as files. The loaders then take this code and feed it into the engine bypassing the original compiling step at runtime. You still need the PHP engine installed on the server to run encoded scripts. When an error such as a illegal function (i.e. Function not found), the engine interprets the bytecode and extrapolates the function name for output. The encoders do not store the function names in plain text.
    So it should be possible to still retrieve the function names with a hacked Zend Engine?

    edit: It isnt possible. Reading into the thread on WHT posted here, it appears that the script isnt executed by the "open source execution routine". http://www.webhostingtalk.com/showth...5&pagenumber=2
    Last edited by merk; Tue 28 Sep '04, 12:08am.

    Leave a comment:


  • Wayne Luke
    replied
    No it doesn't it encodes the PHP to bytecode. Bytecode, is a state between code and fully compiled machine language.

    The PHP engine works by taking your code and compiling it into Bytecode before processing. This is often referred to "Just In Time Compiling". It is how .NET and Java work as well. When you use an encoder such as Zend Encoder or IonCube, it compiles the PHP to Bytecode and stores it as files. The loaders then take this code and feed it into the engine bypassing the original compiling step at runtime. You still need the PHP engine installed on the server to run encoded scripts. When an error such as a illegal function (i.e. Function not found), the engine interprets the bytecode and extrapolates the function name for output. The encoders do not store the function names in plain text.

    Leave a comment:


  • Tom|HT
    replied
    Originally posted by Scott MacVicar
    Well thats what I was wondering about.

    How much of the engine does it use after encoding? Could I take the compiled versions and hack the Zend Engine to expose the function names and what they're accessing?

    I know we wouldn't be able to get the original code as this is done by a bison parser that turns the plain text php into something machine parseable and this is step is skipped out with Zend Encoded files.
    With the ioncube engine certainly, the function names are still stored plainly somewhere (see below method).

    If you want to hackishly find out if Zend keeps the function names plain you can do this:

    1) find & install a Zend encoded script with multiple files
    2) replace a library file such as a functions.php with a blank file
    3) run the script

    if you get an error such as function not found function_format_time() or something, it shows it keeps function names plaintext.

    Leave a comment:


  • The Prohacker
    replied
    Originally posted by Scott MacVicar
    Well thats what I was wondering about.

    How much of the engine does it use after encoding? Could I take the compiled versions and hack the Zend Engine to expose the function names and what they're accessing?

    I know we wouldn't be able to get the original code as this is done by a bison parser that turns the plain text php into something machine parseable and this is step is skipped out with Zend Encoded files.

    There was a good post on WHT about encoding PHP: http://www.webhostingtalk.com/showth...08#post2494123

    Leave a comment:


  • Scott MacVicar
    replied
    Well thats what I was wondering about.

    How much of the engine does it use after encoding? Could I take the compiled versions and hack the Zend Engine to expose the function names and what they're accessing?

    I know we wouldn't be able to get the original code as this is done by a bison parser that turns the plain text php into something machine parseable and this is step is skipped out with Zend Encoded files.

    Leave a comment:


  • Tom|HT
    replied
    If you are determined you can go and edit the PHP engine then recompile it, so that it will ignore a function e.g. check_license_status(), although if you are doing that, you probably have enough skill to have a good enough job, and thus purchase it.

    Leave a comment:


  • Jerry
    replied
    Originally posted by Scott MacVicar
    I'm curious if someone could add checks into the engine to output what was called when a function was used?
    Before or after it was encoded ? you thinking of how to break it ?

    Leave a comment:


  • Scott MacVicar
    replied
    I'm curious if someone could add checks into the engine to output what was called when a function was used?

    Leave a comment:


  • Jerry
    replied
    Originally posted by MetalGearMaster
    interesting... but doesnt the browser call on things like showthread.php?t=1 .... how would that work with an exe?

    MGM out
    Because showthread.php could still be there, just encoded, or they could all be in one file.

    Leave a comment:


  • Colin F
    replied
    Originally posted by Dave#
    It's actually better than that. Not only does it encode the scripts it obfuscates them too.
    For anyone else wondering:

    http://dictionary.reference.com/search?q=obfuscate

    ob·fus·cate
    To make so confused or opaque as to be difficult to perceive or understand: “A great effort was made... to obscure or obfuscate the truth” (Robert Conquest).

    Leave a comment:


  • Dave#
    replied
    Originally posted by Zachery
    Open up a EXE file with your fave editor, you see lots of useless stuff. You really cant change it, or see how the program is doing it. Same idea, Zend "compiles" a version of the php files that its encoder can understand, but humans cannot.
    It's actually better than that. Not only does it encode the scripts it obfuscates them too.

    Leave a comment:


  • Zachery
    replied
    Open up a EXE file with your fave editor, you see lots of useless stuff. You really cant change it, or see how the program is doing it. Same idea, Zend "compiles" a version of the php files that its encoder can understand, but humans cannot.

    Leave a comment:


  • MGM
    replied
    interesting... but doesnt the browser call on things like showthread.php?t=1 .... how would that work with an exe?

    MGM out

    Leave a comment:


  • Zachery
    replied
    It sort of turns the php scripts into an exe file, for this example anyway. You can run them, they work, but you dont understand and cant see exactly how it works.

    Leave a comment:


  • MGM
    replied
    I don't get how you'd be able to make unreadable source code if the source code is needed for the product to work... what exactly does Zend do? Excuse my ignorance on the subject

    MGM out

    Leave a comment:

widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X