用 PHP Screw 保護你的程式碼
PHP 是一個直譯的程式語言,大家都喜歡 PHP 改後立即執行的優點,但明文未加密的程式碼也有一些壞處,比如寫在 Code 裡的密鑰與密碼等等,全部就被看光光了。
很多 PHP 打造的商業產品,最後佈署部到客戶機器上時,免不了需要將程式碼進行加密。目前商業的加密軟體有 Zend Guard (美年 600$) 與 PHP Encoder (199$),Zend Guard 以前有用過,算是很穩定的產品,如果程式好好寫,極少發生加密後執行結果不如預期的情況。Zend Guard 原理我猜測是編譯為 opcode,然後進行加密,執行時透過 PHP Extension 進行動態解密,由於解密完已經是可以執行的 PHP opcode,因此有官方宣稱的加速效果。PHP Encoder 我就沒有用過,也無從推論。
今天要介紹 PHP-Screw 這個很簡單的加密機制,做法與一樣是必須編譯出擁有專屬解密功能的 Extension,然後加密過的 PHP 檔案就可以透過 PHP Extension 進行解密與執行。看了 Source Code 其實實現的方法很簡單,就是透過 zencode/zdecode 進行編碼與解碼,編碼後的資料會在前方加入「PM9SCREW」字串,用來判斷 PHP 檔案是否需要解碼。
PHP Screw 安裝
直接從 GitHub Clone 一份最新的 PHP Screw Source Code,如下:
git clone https://github.com/Luavis/php-screw
第一個動作就是要修改密碼檔 (my_screw.h),之後我們會根據這個密碼檔編譯出專屬的 PHP Extension .so 檔,所以想要拿自己編譯的 Extension 去執行不同密碼加密的 PHP 是不會成功的!
cd php-screw
vim my_screw.h
編輯檔案中 pm9screw_mycryptkey 這個陣列,可以更改數字或加減元素,檔案內容如下:
short pm9screw_mycryptkey[] = { 11152, 368, 192, 1281, 62};修改後存檔,編譯之前記得安裝 php5-dev, php-config, gcc 套件,接著執行以下命令:
phpize
./configure --with-php-config= which php-config
make
執行畫面如下:
編譯好的 so 檔會放在 module 目錄下,把它掛到 php.ini 即可。
接著我們還需要編譯專屬的加密程式,切換到 tools 目錄下直接 make 即可:
cd tools
make
編譯好後會產生 screw 執行檔,透過這個執行檔可以直接加密 PHP 程式,加密後原本的明文會多了 .screw 副檔名,如下:
此外一提,之前在 APC 上就有網友討論如何進行編譯與執行分離的方式,有興趣的朋友可以參考 鳥哥的文章 與「 使用APC来保护PHP代码 」這篇文章。但是 APC 後來的對於 PHP 新版本的支援度不足,像是 PHP 5.6 就不會運作,大大們都建議改用 Opcache。其實在 PHP 7 所使用的 Opcache 中,可以在 Source Code 看到 opcache.file_cache 這樣的暗黑(Document 無記載)參數,可惜在 PHP 5.6 的 Opcache 版本中沒有這個 file_cache 功能。利用 file_cache 確實可以實現 Opcode 編譯與執行分離,大陸很多 文章 都有討論到作法。
如果真的要在 PHP 5.6 自行實現 Opcode 編譯與執行分離,要把 PHP 7 Opcache File Cache Feature 移到 PHP 5.6 是有難度的,畢竟底層的 Zend API 更動了很多,只好殘念收場,免費的先用 PHP Screw 擋一下,防君子不防小人.......下次再見!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1378
52
Alipay PHP SDK transfer error: How to solve the problem of 'Cannot declare class SignData'?
Apr 01, 2025 am 07:21 AM
Alipay PHP...
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
Explain the concept of late static binding in PHP.
Mar 21, 2025 pm 01:33 PM
Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
Framework Security Features: Protecting against vulnerabilities.
Mar 28, 2025 pm 05:11 PM
Article discusses essential security features in frameworks to protect against vulnerabilities, including input validation, authentication, and regular updates.
Customizing/Extending Frameworks: How to add custom functionality.
Mar 28, 2025 pm 05:12 PM
The article discusses adding custom functionality to frameworks, focusing on understanding architecture, identifying extension points, and best practices for integration and debugging.
How to send a POST request containing JSON data using PHP's cURL library?
Apr 01, 2025 pm 03:12 PM
Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...
Describe the SOLID principles and how they apply to PHP development.
Apr 03, 2025 am 12:04 AM
The application of SOLID principle in PHP development includes: 1. Single responsibility principle (SRP): Each class is responsible for only one function. 2. Open and close principle (OCP): Changes are achieved through extension rather than modification. 3. Lisch's Substitution Principle (LSP): Subclasses can replace base classes without affecting program accuracy. 4. Interface isolation principle (ISP): Use fine-grained interfaces to avoid dependencies and unused methods. 5. Dependency inversion principle (DIP): High and low-level modules rely on abstraction and are implemented through dependency injection.
How does session hijacking work and how can you mitigate it in PHP?
Apr 06, 2025 am 12:02 AM
Session hijacking can be achieved through the following steps: 1. Obtain the session ID, 2. Use the session ID, 3. Keep the session active. The methods to prevent session hijacking in PHP include: 1. Use the session_regenerate_id() function to regenerate the session ID, 2. Store session data through the database, 3. Ensure that all session data is transmitted through HTTPS.
