Obfuscation

Source Code contains various tags and names defined by the programmer. These names are typically made meaningful to make the code easy to understand and maintain, by developers.

Obfuscation converts these tags and names into cryptic names, in order to make the code difficult to understand by others, without affecting code execution.

 

Example:

 

Usage example

Original Code:

<?php

function getName()

{

echo "John Doe";    

}

 

getName();

?>

After Obfuscation:

<?php

function a1234cd()

{

echo "John Doe";    

}

 

a1234cd();

?>

 

The function getName, when obfuscated, will be changed to something that does not have a meaning, such as a1234cd creating the following code:

 

 

As you can see from the example, the execution logic of the code is maintained, but the code has become difficult to understand.

Several options have been provided to suit various code protection levels. The Zend Guard obfuscation options support PHP 5.5 and PHP 5.6.

The following encoding and obfuscation options are provided through the Security tab:

  • Encoding (no obfuscation)

  • Variables- Converts user generated Variable names into machine-generated, cryptic Variable names. This completely scrambles the original context of the original, user generated Variable names.

  • Functions- Converts user generated Function names into machine-generated, cryptic Function names. This completely scrambles the original context of the original, user generated Function names.

  • Classes - Converts user generated Class names and methods into machine-generated, cryptic Class names. This completely scrambles the context of the original, user generated Class names and methods.

  • PHP Built-in symbols- Converts PHP language pre-defined names into machine-generated, cryptic names. For example acos(), count_chars(), Exception, StdClass and echo will be completely scrambled.

Important!

Obfuscation may change your original code to the extent that it may not execute properly.Use the Exclude List to resolve such problems.
For example, code that calls functions referenced by string may not run after obfuscation:

<?php

function
do_mysql_query($query) { ... }
function
do_sqlite_query($query) { ... }

function
executeQuery($dbname)
{
$query_function =
"do_" . $dbname . "_query";
$result = $query_function("SELECT * FROM TABLE");
}

?>


After obfuscation the functions do_mysql_query, do_sqlite_query and executeQuery will be obfuscated and the value of $query_function will no longer match any of the function names and a runtime error will occur (i.e. function not found error).   
Therefore use the Exclude List to exclude the function names do_mysql_query and do_sqlite_query from being obfuscated.
Additional examples of functions, class names, methods and variables that should not be obfuscated can be found in "Excluding PHP Entities".

There is a direct correlation between the number of files obfuscated and the difficulty understanding and reverse engineering code. Therefore, complete project obfuscation will best protect your application.