php 在几秒钟内解密 ioncube
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/16678277/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
ioncube decryption in seconds
提问by user1221679
I'm a php developer and currently searching for software to protect php code. I know there exist obfuscators and encoders (and both).. but it seems that it's possible to "decrypt" code encoded with some software.
我是一名 php 开发人员,目前正在寻找保护 php 代码的软件。我知道存在混淆器和编码器(以及两者)。但似乎可以“解密”用某些软件编码的代码。
So my question is.. if it is possible to decrypt source code produced by major software companies (zend, ioncube, sourceguardian).. why that produts are still on market?
所以我的问题是..如果有可能解密主要软件公司(zend、ioncube、sourceguardian)生产的源代码..为什么这些产品仍在市场上?
Why these software continues to sell if anyone can (pay to) decrypt everything in seconds?
如果有人可以(付费)在几秒钟内解密所有内容,为什么这些软件会继续销售?
Btw, i asked this on ioncube forum and my message was.. deleted.
顺便说一句,我在 ioncube 论坛上问过这个问题,我的消息被......删除了。
regards.
问候。
回答by Sébastien Renauld
The answer simply reduces to: because there are dumbasses stupid enough to believe that PHP can be "securely encoded", the same way there are people stupid enough to believe that requiring a serial code for an application automatically makes it secure.
答案简单地简化为:因为有愚蠢到相信 PHP 可以“安全编码”的傻瓜,同样,也有愚蠢到相信需要应用程序的序列代码自动使其安全的人。
ionCube relies on a pretty simplistic implementation - XOR from start to finish, which is hardly a "security measure". It runs as a VM - and is vulnerable to all VM side-channel attacks in addition to flat-out reverse engineering (one presentation here: https://media.blackhat.com/ad-12/Saher/bh-ad-12-stealing-from-thieves-Saher-slides.pdf). Will ionCube say so? No. Why? Because it dissuades the large majority of script kiddies.
ionCube 依赖于一个非常简单的实现——从头到尾的异或,这几乎不是一种“安全措施”。它作为虚拟机运行 - 除了完全逆向工程外,还容易受到所有虚拟机侧信道攻击(此处有一个演示:https: //media.blackhat.com/ad-12/Saher/bh-ad-12 -stealing-from-thieves-Saher-slides.pdf)。ionCube 会这么说吗?没有为什么?因为它劝阻了绝大多数脚本小子。
I am not familiar with sourceguardian, but Zend is built in the same fashion, albeit a bit more secure and harder to beat than ionCube. However, whilst they're not trivial, they're not impossible to beat, either.
我不熟悉 sourceguardian,但 Zend 以相同的方式构建,尽管比 ionCube 更安全且更难被击败。然而,虽然它们并非微不足道,但它们也并非不可能被击败。
The following is taken from the Zend Guard page:
以下内容摘自 Zend Guard 页面:
Encoding is a process where the PHP source code is converted to an intermediate machine readable format. This format is hard for humans to read and convert back to source code. As a result it protects your code from casualbrowsing. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes.
编码是将 PHP 源代码转换为中间机器可读格式的过程。这种格式对于人类来说很难阅读并转换回源代码。因此,它可以保护您的代码免受随意浏览。这意味着,如果人们获得对您网站代码的访问权限,他们将无法将其用于非预期目的。
In other words, if your user is not casually browsing, this will not hold up. I don't know about you, but I do not know a single non-dev who casually browses source codewithout the purpose of understanding it, and often, breaking it.
换句话说,如果您的用户不是随便浏览,这将站不住脚。我不了解你,但我不认识一个非开发人员,他们随意浏览源代码而没有理解它的目的,并且经常破坏它。
The same thing is true of every single DRM method around. However, they're still on the market. Why? Because, whilst they are not perfect, they're good enoughto dissuade the large majority of people.
周围的每一种 DRM 方法都是如此。然而,它们仍然在市场上。为什么?因为,虽然它们并不完美,但它们足以劝阻大多数人。
The law and final word of this is: if you build it, expect it to be broken and plan for it.
这条法则和最后一句话是:如果你建造它,预计它会被打破并为它做好计划。
