Projects / PHPCoder / Comments

Comments for PHPCoder

13 Jul 2003 15:51 phirate

Re: Reversability

> Of course financial information should
> very rarely ever be stored on servers
> unless you have invested considerable
> effort and funds into securing a
> system(s) you should pass financial
> information directly to real time
> authorization providers.


Absolutely agreed :)


> The code itself more than likely will not be able
> to be converted back to source code but
> any program can be reversed engineered,
> simply encoding an application will not
> make it secure but it can increase
> security by leaps and bounds.


Agreed. I just felt that it was an important point to make. Many people read about Zend encoder and others and come to the conclusion that it really *is* safe. The problem with this attitude is not so much the difficulty involved in reversing the code, but the subsequent ease of distribution.

Many games for example, have found that despite advanced copy protection schemes, their software has simply been reverse-engineered (from compiled optimised code, much harder than PHP bytecode!), the protection removed, and a patch or full defanged executable made available via kazaa or usenet for the entire world to grab. If it were 2 weeks effort for each person who wanted the unprotected source that would be one thing, but it isn't, its 2 weeks work then everybody gets it.

This shouldn't prevent people from distributing their work in this way, it is handy and in a court action would likely prove due diligence (IANAL), but it is not a substitute for good relations with your clients and a competitive product which people are glad to buy.

Encoders should also beware the temptation to artificially limit the capability of their product (say, single domain or 50 users only type things) because it is that kind of limitation that makes reverse engineering the most tempting.

07 Jul 2003 20:07 jsheets

Re: Reversability

> It is important to note that this
> project, and Zend encoder and all
> equivalents that I am aware of are not
> failsafe as far as security goes. Once
> you place your code, bytecode or not, on
> someone elses system it is possible,
> with the necessary effort and skill, to
> reverse engineer the code into a form
> which can be operated on to remove time
> limits, IP address blocks, and to obtain
> passwords or other strings stored within
> the file.
>
> For the vast majority of uses the
> strength of the encoding provided is
> "good enough", however if
> you're talking about financial
> transactions, or software worth many
> thousands of dollars, you cannot trust
> this or any other encoding software to
> prevent disassembly and modification.
> Some are harder than others but in the
> end you are looking at one or two weeks
> work by someone with the necessary
> skills in order to reverse the encoding
> into something usable, even if it is not
> exactly equivalent to the original
> source (which it won't be).
>
> There are no tools that I am aware of
> available at this time to support the
> reverse engineering task, but I would
> not be surprised if they are around in
> one form or another, and conventional
> system tracing and crypto tools are
> still helpful.
>

Of course financial information should very rarely ever be stored on servers unless you have invested considerable effort and funds into securing a system(s) you should pass financial information directly to real time authorization providers. The code itself more than likely will not be able to be converted back to source code but any program can be reversed engineered, simply encoding an application will not make it secure but it can increase security by leaps and bounds.

07 Jul 2003 20:03 phirate

Reversability
It is important to note that this project, and Zend encoder and all equivalents that I am aware of are not failsafe as far as security goes. Once you place your code, bytecode or not, on someone elses system it is possible, with the necessary effort and skill, to reverse engineer the code into a form which can be operated on to remove time limits, IP address blocks, and to obtain passwords or other strings stored within the file.

For the vast majority of uses the strength of the encoding provided is "good enough", however if you're talking about financial transactions, or software worth many thousands of dollars, you cannot trust this or any other encoding software to prevent disassembly and modification. Some are harder than others but in the end you are looking at one or two weeks work by someone with the necessary skills in order to reverse the encoding into something usable, even if it is not exactly equivalent to the original source (which it won't be).

There are no tools that I am aware of available at this time to support the reverse engineering task, but I would not be surprised if they are around in one form or another, and conventional system tracing and crypto tools are still helpful.

Screenshot

Project Spotlight

ReciJournal

An open, cross-platform journaling program.

Screenshot

Project Spotlight

Veusz

A scientific plotting package.