挑战:最大限度地提高混淆逆向工程的成本
免责声明:类似的问题已经在 SO 上被问过多次,但是这个问题更加具体,并且到目前为止尚未得到充分解决。
我们正在开发一种新的打包软件,出于业务安全原因,该软件必须以 PHP 形式在我们客户的服务器上运行。该软件随每用户最终许可证一起出售;价格范围为每位用户 20-80 美元,目标市场为小型(且精通网络)咨询公司和 IT 机构。
为了阻止盗版(例如,取消用户许可证强制执行),我们希望以任何技术上可用的方式最大限度地保护 PHP 代码,这不会给用户带来不便。
让我们分解一下:
不会给用户带来不便:不需要额外的服务器端安装(没有 zend 解码器或其他二进制文件)。必须在开箱即用的普通共享 PHP 主机上运行。
最大化保护:破坏保护的代价必须超过购买额外许可证的成本。也就是说,专业黑客至少需要 3-5 个工作日才能解除用户许可证保护。
- 技术上可用的任何手段:可能打电话回家,可能使用高端加密,可能实现 c64 模拟器。
为了主动解决迄今为止投票率最高的非解决方案:
不寻找完美混淆,只是极其困难(定义为:必须采取至少 3-5 个工作日才能解密),或其他反盗版方法
不要寻找“黑盒”软件包,我不知道它们是如何工作的,也无法确定它是否适合我们的目的;寻找算法和开箱即用的想法。
不寻求许可/法律方面的保护,我们已经涵盖了这一点。
我们确实知道,只要有足够的时间和精力,所有的混淆迟早都会被黑客入侵;我们只是希望这不是一个经济的解决方案。
考虑到上述限制,您会使用什么方法或想法来最大限度地采取反盗版措施?
赏金狩猎:考虑到上述限制,重点是对代码进行逆向工程的最难的算法方法。
更新/赏金狩猎:我接受了 Ira Baxter 的回答,主要是因为其余的回答未能回答核心问题,并试图质疑基本假设(商业、闭源、yadda yadda)。谢谢大家!
Disclaimer: Similar questions has been asked a number of times on SO, however this question is much more specific, and has not been adequately addressed so far.
We're developing a new packaged software, which, for business security reasons, must run on our customer's server, in PHP. The software is sold with a per-user end-license; price range is within $20-80 per user, target market is small (and web-savy) consultancies, and IT agencies.
To discourage piracy (eg. removing the user-license enforcement), we'd like to maximize the protection of the PHP code in any means technologically available, which does not inconvenience the user.
Let's break this down:
does not inconvenience the user: no additional server-side installs (no zend decoder, or other binaries). Has to run on a plain-vanilla shared PHP host out-of-the-box.
Maximize the protection: breaking the protection has to outweigh the cost of buying an additional license. That is, it has to take at least 3-5 working days for a professional hacker to remove the user license protection.
- Any means technologically available: might call home, might use high-end crypto, might implement a c64 emulator.
To pro-actively address the so far highest-voted non-solutions:
NOT looking for perfect obfuscation, just extremely hard ones (defined as: have to take at least 3-5 working days to decrypt), OR other anti-piracy methods
NOT looking for "black-box" software packages, which I don't know how they work, and can't determine whether it fits our purpose; looking for algorithmic ,and out-of-the-box ideas.
NOT looking for license/law-side protection, we already have that covered.
We DO know, that given enough time, and focus, all obfuscation will be hacked sooner or later; we merely want this not to be the economical solution.
Given the above constraints, what methods, or ideas would you use to maximize anti-piracy measures?
Bounty-hunt: point goes for the hardest algorithmic method to reverse-engineer the code, given the constraints above.
Update / Bounty-hunt: I've accepted Ira Baxter's answer, mostly because the rest failed to answer the core question, and attempted to question the underlying assumptions (business, closed source, yadda yadda). Thanks all!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(9)
我认为你想要做的是通过算法来转换代码,不仅要混淆执行的内容,还要混淆数据结构。我们假设我们从开发人员制作的程序的干净版本开始。他总是使用干净的版本。混淆产生了待发布版本。良好的混淆将产生一个与原始版本具有完全相同功能的发布版本,因此(可以说)不需要进一步的测试。
对于控制流扰乱,其想法是采用一开始就编写得很好的代码,并通过转换来推动它,通过乘以必须进行的一组假设,对控制流的决策进行静态(和人工)分析变得困难。分析了。例如,如果你有两个指针,并通过一个指针存储一个值,它会影响另一个指针看到的值吗?根据指针是否有别名,您可以获得两个不同的答案。现在取 N 个指针,其中每个可能都有别名;你会得到 2^N 种可能的别名关系。如果读者不知道确切的组合,他将无法确定某个决定是正确的、错误的还是有条件的。当然,生成它的工具会生成其结果已知的条件,因为它设计(生成)指针老鼠巢以产生特定的结果。
请参阅代码混淆文献调查(不是我的论文),其中讨论了各种控制流和数据流混淆。这可能不是对可能发生的事情的最新总结,但它非常有启发性。您应该注意,进行这种混淆会对执行时间产生一些影响。
关于这个主题的论文清楚地表明,控制和数据流混淆的程序对于静态分析器来说极其难以“理解”;这些论文提供/参考了处理此类混淆程序的算法复杂性的演示。
现在,您可能会说人们不是静态分析者,因此不会受到同样的限制。你可能是对的; 罗杰·彭罗斯著名地认为,人类没有与图灵机相同的约束;这个争论并没有得到解决。但加密/散列技术的整个基础本质上是建立在相同类型的计算复杂性参数之上的。迄今为止,还没有人证明自己足够聪明,能够以某种方式破解这些技术
可以被盗贼在日常生活中使用(好事,否则你的银行账户就会空了)。
要对 PHP 程序执行此操作,您需要可以解析 PHP 代码并执行此类转换的工具。我们的 DMS 软件重组工具包拥有强大的PHP 解析器,并且可以对代码应用非常复杂的转换。为了真正做到这一点,您需要在所有代码中全局应用转换,而不仅仅是逐个文件地应用转换。我们没有在 PHP 上实现这种混淆转换,但如果你真的想这样做,这就是方法。我们已对我们销售的其他商业产品的 PHP 程序应用了复杂的转换。
完成后,理想情况下,您可以将此结果编译为机器代码,例如使用 HipHop 编译器。 (仅仅编译就会打败一些人,但不会打败认真的软件工程师)。
编辑:混淆!=反盗版是其他答案中的主题。那么混淆有什么帮助呢?
首先,您需要处理反盗版问题。显而易见的事情是:
如果盗版者窃取了代码,这些信息将最终保存在内存中并发挥作用;他也偷了这根绳子。
您的客户不愿意让它被盗。
(由于您的应用程序旨在非常便宜,因此您可能需要自动化
注册过程)
现在,这些步骤可以防止某人(从法律上和技术上)窃取您的代码。
如果这就是你所拥有的一切,一个无所畏惧的盗版者将简单地删除技术检查并将其偷走。
很难阻止有人复制组成的比特流
您的产品;计算机太擅长复制了。
所以你的目标就是让他很难推导出来
如果他这样做了,那就有价值了,这就是混淆的用武之地。
如果代码被充分混淆,他将很难找到许可证检查
并打电话回家机制以禁用它们。 (我建议进行多次检查,但没有一个总是调用,以使窃贼很难判断他何时成功。)。
混淆做得很好,应该可以保护原件的印刷
所有者的名字,这意味着原始所有者将有一些利益来防止它被
在任何诉讼中你都会将他与海盗一起命名为“被盗”。
如果他们击败了许可证、版权印刷和回拨机制,
只是想在不告诉你的情况下在后台运行它,你可能会被卡住。
(对于 80.00 美元,我无法想象为什么他们会为了这个效果而费尽心思)。
但许多窃贼想要修改软件来“改进”它,特别是如果他们想要你的市场。严重的混淆将阻止他们这样做;它甚至会
使他们很难添加自己的许可证控制。
这严重限制了价值。
他们可能只是窃取它并免费发布给世界;你的希望是
该应用程序很难破解。如果他们成功了,你唯一好的防守
是获得许可的所有者获得的持续升级流。
恕我直言,混淆是成功防御盗版的关键。
I think what you want to do is to transform the code algorithmically, to obfuscate not only what is executed, but also to obfuscate the data structures. We assume we start with a clean version of the program, produced by the developer. He always works wih the clean version. Obfuscation produces the to-ship version. Good obfuscation will produce a to-ship version with exactly the same functionality as the original, so no further testing is (arguably) needed.
For control flow scrambling, the idea is to take the nicely written code you have at the start, and push it through transformations that make static (and human) analysis of the decisions that control the flow difficult by multiplying the set of assumptions that have to analyzed. For instance, if you have two pointers, and store a value through one, can it affect the value seen by the other? Depending on whether the pointers are aliased on not, you can get two different answers. Now take N pointers, each of which may be aliased; you get 2^N possible aliasing relations. If the reader doesn't know the exact combination, he won't be able to determine if a decision might be true, false or conditional. Of course, the tool that generates this produces conditionals whose outcome it knows, because it designs (generates) the pointer rat's nest to produce a specific outcome.
See Code Obfuscation Literature Survey (not my paper), which discusses a variety of control flow and data flow obfuscation. This is likely not the most recent summary of what is possible, but its pretty instructive. You should note doing this kind of obfuscation has some impact on execution time.
What the papers on this topic make clear is that control and data flow obfuscated programs are extremely hard for static analyzers to "understand"; the papers provide/reference demonstrations of the algorithmic complexity of processing such obfuscated programs.
Now, you might argue that people aren't static analyzers and therefore don't suffer the same limitations. You might be right; Roger Penrose famously argues that people do not have the same constraints as Turing machines; the argument isn't settled by a long shot. But the entire foundation of encryption/hashing technology is built on essentially the same kind of computational complexity arguments. And to date, nobody has proven smart enough to crack these technologies in ways
that can be used in daily life by theives (good thing, or your bank accounts would be empty).
To do this to a PHP program, you need tools that can parse the PHP code, and carry out such transformations. Our DMS Software Reengineering Toolkit has robust PHP parsers, and can apply very complex transformations to code. To do this really well, you want to apply the transformations globally across all your code, not just on a file-by-file basis. We don't have this kind of obfuscation transformation implemented on PHP, but if you really wanted to do it, this would be the way. We have applied complex transformations to PHP programs for other commercial products that we sell.
When you are all done, ideally you'd compile this result to machine code, say using the HipHop compiler. (Just compiling would defeat some folks, but not the serious software engineers).
EDIT: Obfuscation != AntiPiracy is a theme in other answers. So how does obfuscation help?
First you need to deal with the anti-piracy issue. The obvious things to do are:
these will end up in memory and play a roleif a pirate steals the code; he stole this string, too.
your customer unenthusiastic about letting it be stolen.
(Since your app is intended to be very cheap, you'll probably need to automate
a registration process)
Now, these steps prevent someone (legally and technically) from stealing your code.
If this is all you have, an unfazed pirate will simply remove the technical checks and its stolen.
It is very hard to prevent somebody from copying the bit stream that makes up
your product; computers are far too good at copying.
So your goal is to arrange for it to be hard for him to derive
value if he does, and that's where obfuscation comes in.
If the code is sufficiently obfuscated, he will have a difficult time locating the license check
and phone home mechansisms to disable them. (I suggest several checks, none of them always called, to make it hard for the theif to tell when he is successful.).
The obfuscation, well done, should protect the printing of the original
owner's name, which means the original owner will have some interest in prevent it from being
stolen as you'll name him along with pirate in any lawsuit.
If they defeat the licenses, copyright printing, and phone-home mechanisms,
and simply want to run it in the back room without telling you, you might be stuck.
(For $80.00, I can't imagine why they'd go to all this trouble just for this effect).
But many thieves want to modify the software to "improve" it, especially if they want your market. Serious obfuscation will prevent them for doing this; it will even
make it hard for them to add thier own license controls.
That limits the value pretty severely.
They may simply steal it and release it to world for free; your hope here is
the applicaton is hard to crack. If they succeed, your only good defense
is a continuing stream of upgrades that licensed owners get.
Obfuscation is a key to successful piracy defense, IMHO.
混淆!=反盗版例如,您可能有一个严重混淆的类,但我可以使用反射来查看该类实现的所有方法。然后我可以扩展这个类并重写我不喜欢的任何方法。你在储存秘密吗?因为任何秘密值都可以使用调试器从内存中提取。3-5天?即使使用 Zend-Guard,使用某些开源工具也需要 3-5 秒才能破解。大多数混淆工具都非常原始且容易被破解。
很抱歉,但我认为对此没有一个好的解决方案。
Obfuscation != Anti-piracyFor instance you could have a heavily obfuscated class, but I can use reflection to see all methods that this class implements. I can then extend this class and override any methods that I don't like. Are you storing a secret? Because any secret value can be pulled from memory using a debugger.3-5 days? Even with Zend-Guard it takes 3-5 seconds to break using some open source tool. Most obfuscation tools are very primitive and easy to break.
I'm sorry but I don't think there is a good solution for this.
最好的反盗版方法就是没有方法。
如果您不想使用 zend 等工具,那么最好什么也不做。
据我所知,试图阻止盗版可能会浪费更多时间并损失销售额。你只会伤害你自己。嘿,他们不在乎,这很有趣,你越努力,他们就越满意。一旦完成,所有人都可以通过种子下载。所以没有人需要重复这一努力。
做好申请。让它运作良好。提供优质的服务,您想要的客户会很乐意付款。那些你不想要的客户永远不会付款,所以不要在他们身上浪费时间。你猜怎么着,它们实际上成为了很好的广告。人们会在更多的网站上看到您的软件并寻找它。
所以实际上你得到了免费的广告。
因此,如果您的软件出现故障,不要有压力,不要浪费时间,也不要责怪盗版者。责怪自己,因为你在尝试做不可能的事情时太过分心
,我想添加一点我的个人经历。
早在 90 年代,我花了几个月的时间创建加密技术来减少/防止盗版严重盗版的软件,最终我“大部分”成功了。
我使用了自定义加密、垃圾插入、随机数生成器、跨模块 CRC 检查等等。
我曾经经常加入专门讨论我的软件和其他类似软件的新闻组,甚至还进行了交谈。一位有礼貌的人说:“你为什么要浪费时间,我们这样做只是为了好玩”。但我被迷住了。这是一场比赛。
如果我花时间和精力改进软件,我赚到的钱将是我因盗版而损失的 10 倍。
这是一场愚蠢的胜利。
The best anti piracy method is no method.
If you don't want to use tools such as zend, then you are better off doing absolutely nothing.
Take it from me you can waste more time and lose sales trying to stop pirates. you will only hurt yourself. Hey they don't care and its good fun, the harder you make it the more satisfaction they get in doing it. and once its done it will be available for all via a torrent. so no-one needs to repeat the effort.
Make a good application. make it work well. give Fantastic service and the customers you want will gladly pay. those customers you don't want will NEVER pay so don't waste time on them. And guess what, they actually become good advertising. people see your software on more sites they come looking for it.
So in effect you are getting free advertising.
So don't stress, don't waste your time and don't blame pirates if your software fails. blame yourself because you got too distracted trying to do the impossible
I wanted to add a little bit of my personal experience.
Back in the 90's I spent many months creating encryption techniques to reduce/prevent pirating of a heavily pirated piece of software, in the end I 'mostly' succeeded.
I used custom encryption, junk insertion, random number generators, cross module CRC checking, blah blah blah.
I used to hang out in the news group devoted to hacking my software and others like it and even struck up conversations. one polite fellow said "why are you wasting your time we do this for fun". but I was hooked. it was a competition.
If I had spent the time and effort on improving the software instead, I would have earned 10x the amount I thought I had lost to piracy.
It was a fools victory.
我想了很多,你问的基本上是不可能的。你可以无休止地混淆,人们仍然会窃取你的软件。你对此无能为力。如果您编写代码来打电话回家,有人会将其删除并只输入
true代替。最好的选择是编写高质量的软件,以便人们愿意购买它。要么就是这样,要么使用 ionCube 或 Zend 等商业解决方案。I thought about this a lot, and what you are asking is essentially impossible. You can obfuscate to no end and people will still steal your software. There is little you can do about it. If you write in code to call home, someone will strip it out and just put
truein instead. Your best bet is to write quality software so people want to buy it. It's either that or use a commercial solution like ionCube or Zend.只有少数事情可以真正发挥作用。我能想到的最基本的逻辑是有效的(因为这个市场听起来相当受控且有限)是使用类似于许可服务器的东西,但具有双向通信通道(您可以加密等) .. ETC..)。
现在,您当然可以让某人禁用该通信通道,但是在您将添加以禁用该软件的编码和您的公司将能够跟进客户的事实之间,因为您将确切地知道他是谁“向下”会有帮助。
逻辑的第三部分是针对每个发出的许可证,在生成软件和许可服务器之间发生的“检查”中发挥作用。这意味着您可以在本地生成唯一的哈希代码,这些代码用作软件发送回服务器的答案的一部分。这几乎排除了黑客攻击的可能性,因为黑客必须知道您使用什么算法来生成许可(因为它是预先生成的,所以没有逻辑可用于解密它)并且黑客必须为您提供信息许可密钥。
第四步(可选)是将更新推送给客户端,以刷新您已有的安全机制,并对您的代码运行“篡改”检查,可能会定期提供某种哈希值,以便在您的软件用于连接的逻辑中使用到许可服务器。
这仍然不完美,有人“将”能够克隆生产机器,规避/重定向许可(你不会知道,因为它将是一个副本)并尝试处理你所拥有的检查您的代码需要许可证(正如上面提到的,将所有逻辑设置为“True”)...但是您绝对可以花时间对您的许可系统进行检查和加密,并使其变得耗时且“有风险”过程。除非..作为最后的接触...您可以从服务器生成的产品中获得一些可交付成果(没有任何代码位于客户端所拥有的代码中)并推送到具有此许可机制的软件..但是我不知道这怎么可能。
Only a few things can really work. The most basic logic I can think of that would be effective (since this market sounds like it's fairly controlled, and finite) would be to use something similar to a licensing server, but with a two-way communication channel (that you can encrypt etc.. etc..).
Now, of course you can have someone disable that communication channel, but between the coding you will add to disable the software, and the fact that your company will be able to follow up with the client since you will know exactly who it is that is "down" that will help.
The third part of the logic, is for each license that is given out to play a role in generating the "checks" that will occur between the software and your licensing server. This means you generate, on-premise, unique hash codes that are used as part of the answer your software send back to the server. That pretty much rules out the hacking, because the hacker would have to know what algorith you are using to generate the licensing (since it is pre-generated, there is no logic to use to decipher it) and the hacker would have to feed you a licensing key.
The fourth step, optionally, would be to push updates to clients to refresh the security mechanisms you have in place and run "tamper" checks on your code, possibly periodically feed some sort of hash to be used in the logic your software uses to connect to the licensing server.
This still isn't perfect, someone "will" be able to clone a production machine, circumvent/redirect the licensing (and you won't know since it will be a copy) and try to work away at the check that you have in your code which require a license (as someone above mentioned, set all the logic to "True")... but you could definitly spend the time putting checks and encryption on your licensing system and make it a time-consuming and "risky" process. Unlesss.. as a final touch... you can have some deliverable from your product generated by your server (none of the code is in what the client has) and pushed to the software that has this licensing mechanism in place.. but i don't know how possible that is.
人工代码膨胀
通过使用后处理器自动膨胀代码并插入逻辑乘法器,您会使代码难以修改
我在原始源代码中使用标签来指示每个方法中的代码类型以及哪个代码乘法器使用。随机发生器也可以提供帮助,因为每个版本看起来都非常不同
代码膨胀是通过各种过程实现的。例如,在变量正式进入范围之前和之后重复和随机调整变量。很多额外的逻辑步骤永远不会被遵循。将单个语句分解为许多随机的小步骤。只要最后一步的顺序正确,请将这些语句与尽可能多的其他语句交织在一起。 这个过程的最后也是
最重要的部分是通过这个混乱交错密钥生成和调用主进程,并成为这个混乱的一部分(记住“在它们之前和之后随机摆弄变量”)正式在范围内”),因此删除密钥生成和回拨所花费的时间变得难以处理
回拨服务器必须像 滚动代码远程控制 因此,虽然攻击者可能会发现回拨函数,但将它们删除将导致通用方法中的通用变量的初始化值不正确,并且在您可以使用的许多情况下
随着时间的推移,您可以构建通用代码重新解析器,以及一个函数库来搞乱代码。不断添加代码混乱库以提高混淆级别
您需要有一个覆盖良好的单元和集成测试库来验证混乱后的代码
我没有用PHP这样做过,但使用与PHP具有类似约束的其他语言
注意:这种技术对于复杂的科学软件来说效果很好,因为无论如何,这些软件中都存在大量的神秘逻辑和数学。对于像 CMS 这样的典型网站来说,它可能不太有效,除非您的代码乘数非常令人信服
Artificial code bloat
By using post processors to automatically bloat the code and insert logic multipliers you make the code hard to modify
I use tags in the original source to indicate the type of code in each method and which code multiplier to use. Randomisers can help too, as each release looks very different
The code bloat is achieved by a variety of processes. e.g. repeating and random fiddling of variables before and after they are officially in scope. Lots of extra logic steps that will never get followed. Breaking single statements into many random small steps. Interlace these with as many other statements as possible as long as the final step is in the correct order. etc etc
The final and most important part of this process is to interlace key generation and call home processes through this mess, and to be part of this mess (remember the "random fiddling of variables before and after they are officially in scope") so that the time taken to remove the key generation and call home become unwieldy
The call home server has to act like a rolling code remote control so while the attacker might discover the call home functions, taking them out will result in incorrect initialisation values for general variables in general methods, and in as many cases as you can work with
Over time you can build the general purpose code re-parser, and a library of functions to mess the code up. Keep adding the code mess library to improve the obfuscation level
You need to have a well covering unit and integration test library to validate the code after being messed up
I have not done this with PHP, but with other languages with similar constraints as PHP
Note: This technique works fine for complex scientific software where there is large amounts of cryptic logic and maths anyway. It may not work so well for typical web sites like CMS's unless your code multipliers are very convincing
如果我做对了,为什么不投资一台在应用程序成本范围内交付的服务器,一台可以放置在客户处的服务器,只打开一个端口用于 http 访问,我的意思是用 1000 美元你可以得到一个可以作为您的软件保险箱的机器。如果有人试图侵入它,你就会知道。
另一个解决方案可能是:
目前我在一家大公司工作,该公司在全国各地拥有大约 350 个销售点(商店)。由于我们不能 100% 依赖互联网连接,因此我们在每家商店都有一台服务器。该服务器处理实际销售所需的业务,并链接到本地数据库。其余的东西位于总部服务器上。现在,职员面前有计算机,所有这些计算机都与本地服务器上托管的应用程序一起工作,本地服务器上的问题是注册表知道某个服务是否放置在本地(在同一台机器上)或远程(在总部)并根据需要执行调用(通过 http 从远程位置或从本地服务直接调用)。服务可以放置在任何地方(本地或远程),所需要做的就是通过简单地输入关键字之一来配置它们在注册表中的位置:本地、远程、应用程序(应用程序关键字意味着该服务首先从远程调用,并且如果失败则在本地调用)。这样您就可以做出可接受的妥协。非常必要的东西可以放在本地,其余的业务逻辑可以驻留在您的服务器上,没有人可以触及它。
If I get this right, why not invest in a server to be delivered within the cost of the application, a server which can be placed at the customer, with only one port opened for http access, I mean with a $1000 you can get a machine that can work as a safe for your software. If anyone attempts to hack into it you will know.
Another solution might be:
Currently I am working for a huge company that has aprox 350 selling points(shops) all over the country. As we can not rely on internet connection 100% we have a server at each shop. This server handles the business required for actual selling and it is linked to a local database. The rest of the stuff sits at the head-office server. Now, the clerks have computers in front of them, and all these computers work with the application hosted on the local server, the catch on the local server is that a registry which knows if a certain service is placed locally (on the same machine) or remote (at the head office) and executes the call as required (over http from remote location or direct call from local service). Services can be placed anywhere (local or remote) and all one needs to do is to configure their location in the registry by simply entering one of the keywords : local,remote,application (application keyword means that the service is first called from remote and if it fails it is called locally). This way you can make an acceptable compromise. Highly necessary stuff can sit locally and the rest of the business logic can reside on your server where nobody can touch it.
简而言之,答案是否定的,没有办法以如此复杂的方式混淆代码,以至于需要几天才能破解。简单的解释:混淆是一个双向过程。它可以完成和撤消。如果计算机可以做到,那么有决心的人也可以做到。
与其浪费这么多时间来保护您的代码,为什么不从流行的电视节目 24 中获取提示(旁注:不应该被取消!)。为了确保脚本不被窃取或泄露给公众,他们为每个脚本添加了演员、导演、制片人等特定的数字水印。您可以通过为每个 PHP 文件“添加水印”来对脚本执行类似的操作。这可以是简单的事情,例如更改变量的名称以反映客户端 ID,也可以是复杂的事情,例如将识别字符分布在多个变量和函数值/名称上。尝试将此标识符和/或其部分放入脚本中尽可能多的不显眼的位置。只有您才能知道创建识别信息的确切组合。这样,如果代码泄露,您可以起诉责任方。
The short answer is no, there is no way to obfuscate code in such a complex manner that it takes days to crack. The simple explanation: obfuscation is a two way process. It can be done and undone. If a computer can do it, a determined person can do it too.
Instead of wasting so much time on protecting your code, why not take the hint from the popular TV show 24 (side note: Should have never been canceled!). To ensure scripts weren't stolen or revealed to the public, they watermarked each with a number specific to cast member, director, producer, etc. You can do something similar with you scripts by "watermarking" each PHP file. This can be something as simple as changing the name of the variable to reflect a client ID or something as complex as spreading identifying characters over multiple variable and function values/names. Try working this identifier and/or parts of it into as many inconspicuous places in your scripts as possible. Only you can know the exact combination that creates the identifying information. This way if code is leaked you can sue the responsible party.
只是一个建议,您可能只想添加所需的代码行,这些代码行实际上并不执行任何操作,除了看起来像这样。
Just a suggestion, you might just want to add needed lines of code that don't really do anything, except it looks like it.