5.6. Obfuscation
The Obfuscation tab in the Project Settings dialog is illustrated below:
Some strings remain in the PHP bytecode stream after encoding. For example, local variable names are present after compilation. To prevent these strings from appearing in encoded files, the Encoder features an optional obfuscation processor that is used after the PHP source has been encoded to compiled bytecode.
Obfuscation options
The checked boxes determine which aspects of the compiled PHP bytecode
will be obfuscated. Currently class and method names, line numbers,
global function names and local variable names can be obfuscated.
The Obfuscation key should contain a secret phrase to be used
when obfuscating strings. A random obfuscation key can be created by
clicking on the Generate random key button. The obfuscation
algorithm is a one way process that would require a brute force attack
and knowledge of the key to reverse.
Note: If local variable obfuscation is used, variable
variable assignment may not work as expected (e.g. $$keyName = $value).
Obfuscation exclusions
While it can be desirable to obfuscate names, it is sometimes necessary to prevent specific class, method and function names from being obfuscated. Such cases include elements in non-obfuscated code that are to be referenced from obfuscated code, elements in obfuscated scripts that are to be called by unencoded scripts, and functions in obfuscated code used as callbacks to builtin functions.
To specify these exceptions, a text file should be created with the
required elements. The text file can contain sections identified with
[classes], [methods] and [functions],
followed by the names of the classes, methods and functions occurring
one per line in the relevant section. Namespaces should be used where
relevant. The absolute path to this file should be entered in
the Exclusion file field.
An example of an exclusion file is below:
[classes]
# Exclude our GlobalModule class for introspection purposes
GlobalModule
Provider\Module
[methods]
getName
[functions]
fn1 # used with preg_replace so we mustn't obfuscate
fn2
Blank lines and text appearing after a # character in an exclusion file are ignored.
Notes:
- excluding a function will also disable obfuscation of any local variables within that function.
- excluding a class name will exclude just the name of the class from being obfuscated and not any contents of the class such as methods.
- for security reasons, excluding a method name will exclude it from being obfuscated in all classes having a method of the same name, which avoids needing a reversible obfuscation technique.
- variable variable assignment (e.g.
$$keyName = $value) may not work as expected if local variable obfuscation is used. Excluding the function from being obfuscated where such assignments are used will handle this case.