tags:

views:

148

answers:

5

I don't know php at all; this is more of a question of curiosity.

Following the php function below in the text file are a few thousand characters of text, such as

xnEFstUhSNWGSx5zTq4X/AUw/rtism+klrBETWg0xE1uwb49rnRxrgrgY5EEp3Y0uvTcvLqhUFOP
4n7LDLQpQ9UACTyuUjGBKmUScQCYLCP08u06t0K3nWTNiM7Q6bQMk/iZBE+UK1ywbVC1Lzr9OOEK

Does this php function encode the random-looking text into php? Can the encryption scheme be figured out from this?

EDIT: The client says he has full ownership and rights to the code, developed by someone else. How would it be decoded? Does it require a password?

<?php //003ac
if (!extension_loaded('ionCube Loader')) {
    $__oc = strtolower(substr(php_uname(), 0, 3));
    $__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');
    @dl($__ln);
    if (function_exists('_il_exec')) {
        return _il_exec();
    }
    $__ln   = '/ioncube/' . $__ln;
    $__oid  = $__id = realpath(ini_get('extension_dir'));
    $__here = dirname(__FILE__);
    if (strlen($__id) > 1 && $__id[1] == ':') {
        $__id   = str_replace('\\', '/', substr($__id, 2));
        $__here = str_replace('\\', '/', substr($__here, 2));
    }
    $__rd = str_repeat('/..', substr_count($__id, '/')) . $__here . '/';
    $__i  = strlen($__rd);
    while ($__i--) {
        if ($__rd[$__i] == '/') {
            $__lp = substr($__rd, 0, $__i) . $__ln;
            if (file_exists($__oid . $__lp)) {
                $__ln = $__lp;
                break;
            }
        }
    }
    @dl($__ln);
} else {
    die('The file ' . __FILE__ . " is corrupted.\n");
}
if (function_exists('_il_exec')) {
    return _il_exec();
}
echo ('Site error: the file <b>' . __FILE__ . '</b> requires the ionCube 
PHP Loader ' . basename($__ln) . '  to be installed by the site administrator.');
exit(199);
?>
+1  A: 

Yes, it's to encrypt / decript PHP source. You can see at the bottom it refers to ionCube products.

Tesserex
+3  A: 

It's encrypted by ionCube. The ionCube extension will handle the decryption of the code. It's probably possible to decode it by yourself, but check your license agreement with the developer because it's not certain that it's legal to do so.

That part of the code will only check if the ionCube extension is installed on your server. It is not involved in the decryption of the file (I think, it's not easy to read obfuscated code :-)).

Emil Vikström
Thanks for the input. The client says he has full ownership and rights to the code, developed by someone else. How would it be decoded? With a password and with the Ioncube decoder package?
songdogtech
Try searching for an ionCobe decoder. I've heard of sites doing the equivalent for Zend Optimizer but don't know about ionCube. But don't count on getting anything useful out of it because they've probably obfuscated all variables and function names as well, even after you've decoded the string. Try get a hold of the original source code instead, or tell your client that the code is encrypted and can't be changed without doing it from scratch.
Emil Vikström
+2  A: 

According to this site, it is an encoder. I guess it is for code obfuscation.

http://www.ioncube.com/

Caimen
It's better than obfuscation because it can't be decoded easily, although some people out there claim to do it for a hefty fee! There's other features of course such as IP/domain limiting, licensing, time expiry, etc...
chigley
Hefty fee? One Google search turned up $15 for one file, and $100 for 10 files... So yeah, it's not dirt cheap, but I wouldn't call that hefty either (unless you had a lot of files to decode)...
ircmaxell
@ircmaxwell - things have clearly got easier then! When I first started using it, it was practically impossible to decode. Food for thought right there! :)
chigley
+3  A: 

Here is the code formatted:

<?php
  //003ac
  if (!extension_loaded('ionCube Loader')) {
      $__oc = strtolower(substr(php_uname(), 0, 3));
      $__ln = 'ioncube_loader_' . $__oc . '_' . substr(phpversion(), 0, 3) . (($__oc == 'win') ? '.dll' : '.so');
      @dl($__ln);
      if (function_exists('_il_exec')) {
          return _il_exec();
      }
      $__ln = '/ioncube/' . $__ln;
      $__oid = $__id = realpath(ini_get('extension_dir'));
      $__here = dirname(__FILE__);
      if (strlen($__id) > 1 && $__id[1] == ':') {
          $__id = str_replace('\\', '/', substr($__id, 2));
          $__here = str_replace('\\', '/', substr($__here, 2));
      }
      $__rd = str_repeat('/..', substr_count($__id, '/')) . $__here . '/';
      $__i = strlen($__rd);
      while ($__i--) {
          if ($__rd[$__i] == '/') {
              $__lp = substr($__rd, 0, $__i) . $__ln;
              if (file_exists($__oid . $__lp)) {
                  $__ln = $__lp;
                  break;
              }
          }
      }
      @dl($__ln);
  } else {
      die('The file ' . __FILE__ . " is corrupted.\n");
  }
  if (function_exists('_il_exec')) {
      return _il_exec();
  }
  echo('Site error: the file <b>' . __FILE__ . '</b> requires the ionCube 
PHP Loader ' . basename($__ln) . '  to be installed by the site administrator.');
  exit(199);
?>

It looks like this checks for the ionCube Loader and decodes the encrypted php by various methods if the extension is found. Otherwise, it lets the admin know he/she needs to install the extension.

edit: looks like you formatted the text while I was answering.

Jud Stephenson
I took the liberty to edit the question rather than posting an answer...
Mark
Just doing you civic duty, haha.
Jud Stephenson
+6  A: 

It's practically ioncube-encoded PHP, or obfuscated if you like. Ioncube is a non-free obfuscated bytecode execution engine and the ioncube loader is the library which handles the obfuscated code.

Worth to mention that the 'deobfuscator' is a free library and is loaded in most of the PHP installations I've seen.

methode
+1 for non-free. ionCube themselves (as well as Zend Optimizer, another obfuscater which has nothing to do with performance) do say they are free, but they're only free as in "no cost", not free as in free software. Those products are advertising themselves as "free extensions" to push users to blame webhosting companies without those extensions.
Emil Vikström
So many answers that are correct, but this one is the highest rated.
songdogtech