PHP Classes

File: ssm.txt

Recommend this page to a friend!
  Classes of Zubov Ilya  >  Solace script maze  >  ssm.txt  >  Download  
File: ssm.txt
Role: Documentation
Content type: text/plain
Description: Documentation
Class: Solace script maze
PHP source code protection based only on PHP code
Author: By
Last change:
Date: 17 years ago
Size: 8,655 bytes


Class file image Download
Solace Script Maze v1.1 (light edition)
(c) Zilav, 2003-2004 <>

    I'm  sorry  for all grammar mistakes below, English  in  not  my
    native language, and I'll try to be short.

1. Introduction
2. Requirements
3. Installation
4. Options
5. Tips
6. Conclusion

    1. Introduction
    Solace  Script Maze (SSM) is meant to protect PHP  scripts  from
stealing  and  modifications. It uses only PHP functions  to  encode
scripts,  so  NO additional extensions are required  to  encode  and
execute protected scripts.
    SSM  uses  'maze' technology - circular encryption of script  by
random  methods desired times. Now exists several similar protection
systems  for PHP, but they all try to do the same - just  to  encode
your  script with some algorithm, possibly using your own key  (user
password).  The  main  disadvantage  of  such  method  is  that  any
experience  PHP programmer can easily hack it, like any  interpreter
language  script  (it's easy to avoid Javascript protection  on  web
pages, isn't it?). That's why SSM tries to not 'encode' your script,
but to 'hide' it inside a 'maze' of different protection procedures.
Your own script remains inside protection wrapper unmodified, as is.
    On  every  mazing step decoding procedure is morphed (or  simply
saying  uniquely  modified)  to prevent automatic  decryption,  thus
forcing  a possible hacker to do all the job by hands, spending  his
time  (and money as well). And protection is successful when hacking
costs are equal to buying.
    I  must  admit, that by directly modifying PHP it will be rather
easy to decode scripts (PHP open source is headache for protection),
that's  why  SSM optionally supports Turck MMCache and Turck  Loader
(  which   can   convert   your
scripts  into precompiled opcodes (like Zend Encoder), and  this  is
almost irreversible. But to execute scripts Turck extension must  be
    SSM  was  tested with PHP4 and PHP5 on Windows 9X/2K/XP,  Linux,
Free-BSD  and  Solaris, but I think will work on  other  systems  as

    This  is  a  light  version,  it has  only  a  small  number  of
encoders, less protection 'tricks' and weak optimization. It is free
for  non-commercial use, you can not earn money my  mazing  scripts.
However you can still freely encode your own commercial scripts. SSM
Pro  version is much stronger, has a nice Windows GUI, but it's  not

    2. Requirements
    SSM  itself and mazed scripts requires PHP 4.3.0 or greater, and
is  compatible with PHP 5 as well. If you checked Turck option while
mazing,  then  Turck  MMCache  or Turck  Loader  extension  must  be

3. Installation
    !!! Create and place all protection procedures into ENCODELIB folder !!!
    SMM must have the following directory structure:
        ENCODELIB\_bottom_turck.php     (only for Turck encoding)
        ENCODELIB\_top_turck.php        (only for Turck encoding)
        ENCODELIB\*.php                 (several encode libs)
        index.php                       (www GUI)
        index.htm                       (GUI template)
        phpmaze.php                     (maze class)
        phpmorph.php                    (morph class)
        sftemplate.php                  (template engine class)

    If  you  use Turck encoding, then grant phpmaze.php write access
in the current folder.
    Execute index.php in your browser.

    4. Options
   *  Custom  maze  level - specify number of  times  to  maze  your
script, the more the stronger protection is, but execution will take
more  time.
   *  Custom  morph level - complexity degree of code  morphing,  or
number  of  times  the code is morphed. Affects  size  of  resulting
script, do not set too much, 2 is normal.
   *  Master  password  -  you can provide your  own  password  when
mazing,  and later you can always decode scripts with this password.
Pass    it    as   'unmaze'   parameter   for   protected    script:
   *  Compression - protection wrapper has some size, and  the  more
maze  and morph level you set, the greater it will become. To reduce
resulting  size SSM can apply compression on last mazing step.  This
requires ZLIB functions. All new PHP versions have built-in ZLIB, so
you  can  always  use compression. Decompression is very  fast,  and
won't increase execution time.
   *  Self-integrity check - when executed mazed script opens itself
(for reading only) and checks CRC to detect hacking. If hack attempt
is detected then parse error is simulated.
   *  Client/Server  IP binding - you can specify  IP  addresses  or
masks  to allow execution only for desired clients and/or on desired
servers. All other clients will see error message. Mask can  contain
'*' char (any number 0-255), for example 192.168.0.*
   *  Expiration  date/time - script will work only  till  specified

    5. Tips
   Here are some limitations for you scripts:
   * decoding wrapper uses global variables V000-V999, so if you use
them  or  pass  variables  with  the  same  names  from  forms  with
register_globals turned on, there will be conflict.  Try  to  change
names or access them through $_REQUEST array.
   *  your  actual  script  is  executed with  eval(),  so  __FILE__
constant will contain string "eval'd code", thus constructs such  as
basename(__FILE__)    won't    work   without    special    parsing.
debug_backtrace() result will also have some slight changes.
   *  SSM  parses  your script by <? ?> tags, so if  you  have  them
inside   strings  (for  example)  'aaa  <?  bbb',  SSM   can   parse
incorrectly.  Try to split '<'.'?' or do something  else  to  'hide'

   You  may  notice,  that decoding time (unmazetest  parameter)  is
quite  fast,  but remember that it is only for a single script.  For
example,  if  you  encode 10 scripts, and each one  decodes  in  0.3
seconds, but the first one includes all others, then total time  for
this  script will be 0.3*10 = 3 sec, and this is not as good  as  it
was  before  (unmazetest will still show 0.3 sec because  it  aborts
execution  and  doesn't process other includes). So try  to  protect
only  crucial  and  valuable scripts in large projects,  e.g.  don't
protect  public  DB  layers or template engine  files,  anybody  can
always freely download them.

   It  is  also possible to protect HTML pages without PHP  code  at
all,  just do not encode templates of your template engine  (if  you
use any). I think you understand why.

   SSM can use your own written encoders for protection, just try to
write  in  similar  syntax with other libs  (in  encodelib  folder).
table_reorder.php is very nice and simple example template to  start
from  (variable  $V001 contains string with char codes  0-255).  All
encoders  are  processed  with  morpher,  which  has  some   serious
limitations  (in light version), that's why try to be  as  close  in
syntax  as  possible. Your own encode methods will make  your  mazed
scripts unique, greatly increasing protection strength.

    6. Conclusion
    I  can  only  advise you to encode any script, and then  try  to
decode  it  yourself. If you find it easy, then look  for  a  better
protection  system (also keep in mind that possible intruders  might
not  be so experienced as you, especially if they want to steal your
code, and can not write it themselves).
    Good luck!

For more information send a message to info at phpclasses dot org.