The plus side? I got a cheap laptop bag, talked to the CEO of santimage, got some good chocolates, and a former yahoo group director who shall be unnamed but is heading a startup. I might go join them but I'm still waiting. I have enough money to survive for now and I'm not really in a rush to join anyone, not for the right price. San Francisco was expensive and I met some really strange people. Clam chowder was good though. :-)
Today, Codelock, a so-called PHP and HTML encrypter was reverse engineered by moi. It can be found at www.codelock.co.nz and I stumbled across it after finding out a script that was "protected" by this program. I find it funny how they say you can use it to "protect" your HTML files (in addition to PHP) using obfuscation. First of all it would be stupid to encrypt HTML as search engine robots would be unable to decipher any of the resulting obfuscated code, resulting in zero web traffic from any search engines. Secondly it would result in a total mess if you wanted to make changes and tried to edit the HTML directly and not feasible for maintenance. Lastly why would anyone steal HTML code is beyond me. The funny thing is the authors themselves didn't use the application to protect their own HTML but yet cite the software as a tool which can be used to protect HTML... perhaps they only use it to protect their PHP files.
But on to the software itself, Codelock uses a decrypter file to decrypt your "protected files". The only problem is, the decrypter itself can be relatively easy to reverse engineer, with some trickery. The decrypter stores information such as checking of expiry dates of scripts and things like that. However once the decrypter's source is revealed, you can remove these checks such that even if an encrypted script does say to check for expiration, the expiration check can be bypassed directly by editing the decrypter's source code (which has very strange variable names I have to say, probably to confuse the heck out of whoever's reading it). Once the source code is obtained, it is also relatively easy (to me anyway) to deconstruct any encrypted scripts and output the source to plaintext. Sort of like a master key to any protected house. The result? The php script that was "encrypted" using CodeLock was fully decrypted and its source code exposed, after which I made some changes to remove the limitations that were present in the script.
The website itself says :
Codelock for PHP is a strong deterrent. Most end users will not be able to decipher your code and will have a difficult time working through the 24 levels of encryption used by the software (V1.5). It will take more than the average programmer to decipher your scripts. The fact is, any PHP encryption program does needs to decrypt the file at some time, so the code will theoretically be available to experienced crackers during its execution. However, it would take considerable expertise, a lot of time and a rewrite of some of the core PHP decode engine (codelock.php) to get at it. Note: The Decryptor file (codelock.php) is also Encrypted. As well as all this, it would be a violation of our reverse engineering policy.
Sort of like giving a locked treasure chest along with the key, except that the key is initially a jigsaw puzzle. The "violation of our reverse engineering" seemed like a last ditch effort to persuade the consumer to part with their money, knowing that if all else fails, it's against their policy! Ehhh... so what?? It wasn't a strong enough deterrent for me and I don't really consider myself a super coder other than armed with insight, common sense and some limited knowledge of encryption. In fact, PHP isn't even my specialty. Perhaps this experienced cracking thing only applies to their latest versions. Admittingly I have no idea what version the one I was working on but it was released as a commercial version and distributed with a "protected" php script.Well off to bed!
1 comment:
Its nice to see someone else has the same interests I do. Not saying I want to steal anything but just to show that not everything it what it seems. Thanks for the post
Post a Comment