Solace Script Maze v1.1 (light edition)
(c) Zilav, 2003-2004 <firstname.lastname@example.org>
I'm sorry for all grammar mistakes below, English in not my
native language, and I'll try to be short.
Solace Script Maze (SSM) is meant to protect PHP scripts from
stealing and modifications. It uses only PHP functions to encode
scripts, so NO additional extensions are required to encode and
execute protected scripts.
SSM uses 'maze' technology - circular encryption of script by
random methods desired times. Now exists several similar protection
systems for PHP, but they all try to do the same - just to encode
your script with some algorithm, possibly using your own key (user
password). The main disadvantage of such method is that any
experience PHP programmer can easily hack it, like any interpreter
pages, isn't it?). That's why SSM tries to not 'encode' your script,
but to 'hide' it inside a 'maze' of different protection procedures.
Your own script remains inside protection wrapper unmodified, as is.
On every mazing step decoding procedure is morphed (or simply
saying uniquely modified) to prevent automatic decryption, thus
forcing a possible hacker to do all the job by hands, spending his
time (and money as well). And protection is successful when hacking
costs are equal to buying.
I must admit, that by directly modifying PHP it will be rather
easy to decode scripts (PHP open source is headache for protection),
that's why SSM optionally supports Turck MMCache and Turck Loader
(http://turck-mmcache.sourceforge.net) which can convert your
scripts into precompiled opcodes (like Zend Encoder), and this is
almost irreversible. But to execute scripts Turck extension must be
SSM was tested with PHP4 and PHP5 on Windows 9X/2K/XP, Linux,
Free-BSD and Solaris, but I think will work on other systems as
This is a light version, it has only a small number of
encoders, less protection 'tricks' and weak optimization. It is free
for non-commercial use, you can not earn money my mazing scripts.
However you can still freely encode your own commercial scripts. SSM
Pro version is much stronger, has a nice Windows GUI, but it's not
SSM itself and mazed scripts requires PHP 4.3.0 or greater, and
is compatible with PHP 5 as well. If you checked Turck option while
mazing, then Turck MMCache or Turck Loader extension must be
!!! Create and place all protection procedures into ENCODELIB folder !!!
SMM must have the following directory structure:
ENCODELIB\_bottom_turck.php (only for Turck encoding)
ENCODELIB\_top_turck.php (only for Turck encoding)
ENCODELIB\*.php (several encode libs)
index.php (www GUI)
index.htm (GUI template)
phpmaze.php (maze class)
phpmorph.php (morph class)
sftemplate.php (template engine class)
If you use Turck encoding, then grant phpmaze.php write access
in the current folder.
Execute index.php in your browser.
* Custom maze level - specify number of times to maze your
script, the more the stronger protection is, but execution will take
* Custom morph level - complexity degree of code morphing, or
number of times the code is morphed. Affects size of resulting
script, do not set too much, 2 is normal.
* Master password - you can provide your own password when
mazing, and later you can always decode scripts with this password.
Pass it as 'unmaze' parameter for protected script:
* Compression - protection wrapper has some size, and the more
maze and morph level you set, the greater it will become. To reduce
resulting size SSM can apply compression on last mazing step. This
requires ZLIB functions. All new PHP versions have built-in ZLIB, so
you can always use compression. Decompression is very fast, and
won't increase execution time.
* Self-integrity check - when executed mazed script opens itself
(for reading only) and checks CRC to detect hacking. If hack attempt
is detected then parse error is simulated.
* Client/Server IP binding - you can specify IP addresses or
masks to allow execution only for desired clients and/or on desired
servers. All other clients will see error message. Mask can contain
'*' char (any number 0-255), for example 192.168.0.*
* Expiration date/time - script will work only till specified
Here are some limitations for you scripts:
* decoding wrapper uses global variables V000-V999, so if you use
them or pass variables with the same names from forms with
register_globals turned on, there will be conflict. Try to change
names or access them through $_REQUEST array.
* your actual script is executed with eval(), so __FILE__
constant will contain string "eval'd code", thus constructs such as
basename(__FILE__) won't work without special parsing.
debug_backtrace() result will also have some slight changes.
* SSM parses your script by <? ?> tags, so if you have them
inside strings (for example) 'aaa <? bbb', SSM can parse
incorrectly. Try to split '<'.'?' or do something else to 'hide'
You may notice, that decoding time (unmazetest parameter) is
quite fast, but remember that it is only for a single script. For
example, if you encode 10 scripts, and each one decodes in 0.3
seconds, but the first one includes all others, then total time for
this script will be 0.3*10 = 3 sec, and this is not as good as it
was before (unmazetest will still show 0.3 sec because it aborts
execution and doesn't process other includes). So try to protect
only crucial and valuable scripts in large projects, e.g. don't
protect public DB layers or template engine files, anybody can
always freely download them.
It is also possible to protect HTML pages without PHP code at
all, just do not encode templates of your template engine (if you
use any). I think you understand why.
SSM can use your own written encoders for protection, just try to
write in similar syntax with other libs (in encodelib folder).
table_reorder.php is very nice and simple example template to start
from (variable $V001 contains string with char codes 0-255). All
encoders are processed with morpher, which has some serious
limitations (in light version), that's why try to be as close in
syntax as possible. Your own encode methods will make your mazed
scripts unique, greatly increasing protection strength.
I can only advise you to encode any script, and then try to
decode it yourself. If you find it easy, then look for a better
protection system (also keep in mind that possible intruders might
not be so experienced as you, especially if they want to steal your
code, and can not write it themselves).