php.ini

What’s obfuscation and what is it good for?

Written by  on Dezember 3, 2015

To see how PHP code obfuscation works, you might check out the Free Online PHP Obfuscator. What happens there, makes your code completeley unreadable. But, it creates an enormous base64 encoded file, which simply might be too much. Also I had some troubles with *larger* php scripts with around 50 lines.
Nevertheless, you’ll be able to copy a neat trick from there. First a function name gets decoded in hex. If you have no idea about how to do it check out string to hex. So now you are able to encode your function name into a variable

$a="\x73\x79\x73\x74\x65\x6d"

Now we are able to replace the calls to the system function with our variable from

system("openssl req -noout -modulus -in testfile.csr >/dev/null 2>&1",$ret);

to

$a("openssl req -noout -modulus -in testfile.csr >/dev/null 2>&1",$ret);

So what is it good for? Could you hide from the disabled function in the php.ini? That’s a clear no! But this helps, when there is some nasty „maleware scanner“ that would delete your scripts from your webspace because of containing a call of the system function.
Is it secure? As always it depends. If you use PHP to execute some hardcoded shell script, this might work in a secure way. If you hand input to your scripts, you should be extra sure, that you know what you are doing!
Will it scale? I guess no. There is no protection from PHP in a way that you might DDOS yourself i.e. your webspace.
Also check for race conditions. Just think about what will happen, when you write into a file – and another call to the webserver will write into the same file.