pk-fr / yakpro-po Goto Github PK
View Code? Open in Web Editor NEWYAK Pro - Php Obfuscator
Home Page: http://www.php-obfuscator.com
License: Other
YAK Pro - Php Obfuscator
Home Page: http://www.php-obfuscator.com
License: Other
Hi, sometimes it would be useful to follow symlinks instead of replicating them. Maybe only when the output directory is specified.
yakpro-po source_directory -o target_directory
Currently I commented out the if (is_link($source_path)) …
block in
yakpro-po/include/functions.php
Line 228 in f5e43ac
Thanks!
Hello.
I have seen this:
Note: This tool has been written in order to obfuscate pure php sources. it is not intended to be used with html and embeded php inside (you may try to deactivate statements shuffling...). You can still embed html within php using the echo <<<END ... END; syntax!
How about converting embedded html to echo << END .. END syntax before obfuscation ? PHP-Parser can help with it ?
Hi, Pascal! First of all - thanks a lot for YAK Pro, it's the best php obfuscator, I saw on github.
Need some help to work it out with my current project, that use composer autoload https://getcomposer.org/doc/01-basic-usage.md#autoloading
Before obfuscation:
vendor/composer/autoload_real.php
class ComposerAutoloaderInitcef6ac477e716f5e193a43f09eb4d6a4
{
private static $loader;
public static function loadClassLoader($class)
{
if ('Composer\Autoload\ClassLoader' === $class) {
require __DIR__ . '/ClassLoader.php';
}
}
public static function getLoader()
{
if (null !== self::$loader) {
return self::$loader;
}
spl_autoload_register(array('ComposerAutoloaderInitcef6ac477e716f5e193a43f09eb4d6a4', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
spl_autoload_unregister(array('ComposerAutoloaderInitcef6ac477e716f5e193a43f09eb4d6a4', 'loadClassLoader'));
After obfuscation
vendor/composer/autoload_real.php
class It72Z
{
private static $nCiZ5;
public static function BYb7h($FP2VQ)
{
1 if ('Composer\\Autoload\\ClassLoader' === $FP2VQ) {
require __DIR__ . '/ClassLoader.php';
}
}
public static function b80JC()
{
if (null !== self::$nCiZ5) {
return self::$nCiZ5;
}
2 spl_autoload_register(array('ComposerAutoloaderInitcef6ac477e716f5e193a43f09eb4d6a4', 'loadClassLoader'), true, true);
self::$nCiZ5 = $r2XDu = new \I_myr\xeXKb\z2cFF();
spl_autoload_unregister(array('ComposerAutoloaderInitcef6ac477e716f5e193a43f09eb4d6a4', 'loadClassLoader'));
It need's to be:
1 if ('I_myr\xeXKb\z2cFF' === $FP2VQ) {
2 spl_autoload_register(array('It72Z', 'BYb7h'), true, true);
and so on. When I corrected this file myself and go deeper - there are more errors like this in files, that are automatic generated by composer.
So my question is - Did you try to obfuscate projects, that use composer? If yes, what settings I need to make in yakpro-po.cnf to make it work? Maybe add some standard composer classes in t_ignore_pre_defined_classes?
Thanks!
Hey, I've been testing your obfuscator (and it's awesome so far.) I stumbled over a few minor issues and will open a report to track the status for each.
Test case:
<?php
class Test {
const FOO = 'BAR';
static public function printFoo() {
echo self::FOO;
}
}
Example obfuscated output:
<?php
class VTMys
{
const tbLwc = "\x42\101\x52";
public static function X09pB()
{
echo self::FOO;
}
}
The obfuscated code will not run because self::FOO
was not replaced by self::tbLwc
.
Test case:
<?php
$mapTable = [1=>2, 2=>3, 3=>4];
$input = [1, 2, 3];
$result = array_map(function ($elem) use ($mapTable) {
return $mapTable[$elem];
}, $input);
// $result is now [2, 3, 4]
Example output:
$ yakpro-po testUseScrambling.php --no-strip-indentation --no-shuffle-statements
<?php
$pc7UO = array(1 => 2, 2 => 3, 3 => 4);
$Vb40o = array(1, 2, 3);
$MO9uG = array_map(function ($lCrNn) use($mapTable) {
return $pc7UO[$lCrNn];
}, $Vb40o);
The obfuscator should have emitted $pc7UO
instead of $mapTable
for the code to be equivalent to the input.
Is it possible to run yakpro without removing comments?
thank you.
Hi,
since since PHP 7.0 the expression new
is no longer reserved, so it can also be used as function names, it would be desirable if you consider this in the next update.
There are some third party libs that use this expression. Would be a great feature.
Particularlarly html template with inline php code inside
Hi, I installed PHP-Parser as indicated at xampp\parser\ folder vía composer. I extracted yakpro-po.zip in that folder as directed but seems not to work. ¿How can I get it done? I'm running windows 8.
I have php-parser installed via composer and I can't get yakpro to see it properly. I don't want to load the 9000 files required by git. If you can provide a basic outline of where things need to be it would be helpful
Hello,
I am facing issue after converting code for bench mark script. Its not working fine.
http://www.php-benchmark-script.com/
file: http://www.php-benchmark-script.com/download.php?file=bench.zip
Hi, I'm testing your software on php scripts that can be launched on the command line. On these scripts there seem to be an issue because this code:
#!/usr/bin/php
<?php echo "123"; ?>
becomes this (comments stripped out)
<?php echo "\43\x21\57\x75\163\x72\x2f\142\x69\x6e\57\x70\x68\x70\12"; echo "\61\62\x33";
where \43\x21\57\x75\163\x72\x2f\142\x69\x6e\57\x70\x68\x70\12 is #!/usr/bin/php
instead of
#!/usr/bin/php
<?php echo "\61\62\x33"; ?>
Am I doing anything wrong?
How can I run the obfuscated project in wamp server ? is there any loader like other obfuscation tools zend, ioncube , source guardien ?
At the end by running this command
yakpro-po --help
The error:
`PHP Notice: A non well formed numeric value encountered in /usr/local/yakpro-po/include/check_version.php on line 25
PHP Stack trace:
PHP 1. {main}() /usr/local/yakpro-po/yakpro-po.php:0
PHP 2. require_once() /usr/local/yakpro-po/yakpro-po.php:20
Notice: A non well formed numeric value encountered in /usr/local/yakpro-po/include/check_version.php on line 25
Call Stack:
0.0009 371808 1. {main}() /usr/local/yakpro-po/yakpro-po.php:0
0.0039 382688 2. require_once('/usr/local/yakpro-po/include/check_version.php') /usr/local/yakpro-po/yakpro-po.php:20
Error: Wrong version of PHP-Parser detected!
Currently, only 4.x branch of PHP-Parser is supported!
You can try to use the following command:
# git clone https://github.com/nikic/PHP-Parser.git
`
Hi guy,
first of all thank you for your work.
I have a problem and hope you can help me.
I use the eval functions in some place of my code and when I try to obfuscate it doesn't word:
`<?php
function funcTest($param)
{
return "hey! " . $param;
}
$sFuncToCall = "funcTest";
$sParam = "hello world";
eval("$sReturnFunction = " . $sFuncToCall . "("" . $sParam . "");");
echo $sReturnFunction;
?>`
and here you can find obfuscated version:
`<?php
function funcTest($A92PuKiSftPYqqd)
{
return "\150\x65\171\x21\x20" . $A92PuKiSftPYqqd;
}
$ZvHkE9gCbvdtEZE = "\x66\x75\x6e\143\x54\x65\163\x74";
$JNc7kjLDMCgghbp = "\x68\x65\x6c\x6c\x6f\40\x77\157\x72\x6c\x64";
eval("\x24\x73\x52\x65\x74\165\x72\x6e\106\165\156\x63\x74\151\x6f\156\x20\x3d\x20" . $ZvHkE9gCbvdtEZE . "\x28\x22" . $JNc7kjLDMCgghbp . "\42\x29\73");
echo $HvGn14hkJPjuMtz;
?>`
If I have this code:
a.php:
function f() {
echo 'test';
}
include('b.php');
b.php:
if (!function_exists('f')) {
function f() {
echo 'test2';
}
}
When the option shuffle_stmts
is enabled, the definition of f()
in b.php
will be appear out of the if
, therefore the php interpreter will try to define the function in "parse" time instead of execution time, and this will throw the error below:
PHP Fatal error: Cannot redeclare f() in b.php on line 2
Maybe we can just add an if (true)
in these situations.
I cannot obfuscate a simple WordPress plugin (like https://wordpress.org/plugins/disable-google-fonts/) with your tool but it works with other tools (like https://github.com/naneau/php-obfuscator).
In /var/www/html/wordpress/wp-content/plugins
, I execute ~/Downloads/yakpro-po/yakpro-po.php disable-google-fonts -o disable-google-fonts-dev
I don't know if we need to keep the files generated in the folder yakpro-po
, so I tried to keep them (I got a fatal error message when I tried without keeping the folder).
To keep the yakpro-po
folder structure, I created a main file disable-google-fonts.php
in the folder disable-google-fonts-dev
with these basic informations to load the WordPress plugin:
<?php
/**
* Plugin Name: Disable Google Fonts Dev
*/
require_once 'yakpro-po/obfuscated/disable-google-fonts.php';
When I try to activate the plugin in the WordPress admin area, I still get the error message (there is no function named WeIzo
in the original plugin, it looks like an obfuscated name):
Fatal error: Uncaught Error: Call to undefined function WeIzo() in /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php:8 Stack trace: #0 /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php(8): DcYMB->__construct() #1 /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/disable-google-fonts.php(6): require_once('/var/www/html/w...') #2 /var/www/html/wordpress/wp-admin/includes/plugin.php(1897): include('/var/www/html/w...') #3 /var/www/html/wordpress/wp-admin/plugins.php(172): plugin_sandbox_scrape('disable-google-...') #4 {main} thrown in /var/www/html/wordpress/wp-content/plugins/disable-google-fonts-dev/yakpro-po/obfuscated/disable-google-fonts.php on line 8
Edit: my copy-paste of the error message referenced several unrelated issues because of the '#' character, I don't know if we can avoid this.
PHP Fatal error: Cannot instantiate interface PhpParser\Parser in yakpro-po-master/yakpro-po.php on line 32
when I try to run, I receive this error.
Hello,
the main file's shebang points to /usr/bin/php
. This is not the convention and will cause trouble on systems with multiple PHP installations, especially because the output of the script depends on the PHP environment and its installed addons.
Please change the first line to #!/usr/bin/env php
so that the shell's active PHP version is used.
Your README file also specifies that the main PHP file should be made executable. Right now, every pull on my *nix platforms results in a conflict due to incorrect permissions, so that I have to revert permissions before pulling/merging. Why not include the correct permissions with the git repository right away? On *nix, just chmod +x and git add
the file again. On Windows, the git update-index --chmod=+x yakpro-po.php
command would have the same effect because there is no executable bit on Windows.
Cheers, Oliver
I ran the obfuscator on a project that has a bin folder with a few executable files but they lost the execution bit. It would be nice if the obfuscator kept the same permissions for the files.
Hi,
Is there some way to ignore or validate symphony (framework) annotations?
I work on symphony and php-obfuscator remove them from the source code. What can i do in such case?
Thanks in advance
example:
Until that is resolved, I have to deactivate obfuscation for classes and methods.
Well, I know it's minor glitches, overall good job !
Hello, thank you so much for your amazing tool.
I met a problem with your tool: I am trying to obfuscate some php webshell using your tool for research purpose. I tried to obfuscate this file using the default setting of your tool, and then the obfuscated file is not working. Do you have any idea why?
Thanks a lot.
When limiting the scope of predefined functions which are scanned, the scrambler catches some reserved function names such as __call
because they do not appear in any of the scanned predefined classes.
The reason for this is that in scrambler.php, line 265, t_ignore is populated with a list of reserved functions, not methods. No fancy example this time ;).
I have problem with code after obfuscation if It has a variables in global array :
this original :
`<?php
ini_set("display_errors",true);
class cc {
function ee (){
echo ("test");
}
}
$GLOBALS["xc"] = new cc();
function vv (){
global $xc;
$xc->ee();
}
vv();
?>`
this after modify :
<?php /* __________________________________________________ | Obfuscated by YAK Pro - Php Obfuscator 2.0.4 | | on 2020-01-09 14:47:59 | | GitHub: https://github.com/pk-fr/yakpro-po | |__________________________________________________| */ goto TWmXm; I1BoU: $GLOBALS["xc"] = new cc(); goto aNeS0; TWmXm: ini_set("display_errors", true); goto IHi_O; IHi_O: class cc { function ee() { echo "test"; } } goto I1BoU; aNeS0: function qtRlm() { global $SyCuk; $SyCuk->ee(); } goto HOmQB; HOmQB: QTrLM();
when run , it's show error :
PHP Fatal error: Uncaught Error: Call to a member function ee() on null
Is there any config for solve this problem ?
Hi I got a fatal error trying to encrypt e file with this function in it
because yakpro renames !is_dir_writeable()
to vcLmF()
My original code
<?php
class Tbuy_Imageflow_Model_From_Imageflow extends Tbuy_Flow_Model_From_Abstract
{
const PROCESSED_IMAGES_DIR = 'processed';
protected function getProcessedImagesDir() {
$processed_images_dir = $this->getImagesPath().
self::PROCESSED_IMAGES_DIR . DS .
date('Y', time()) . DS .
date('m', time()) . DS .
date('d', time()) . DS;
if (!is_dir($processed_images_dir)) {
mkdir($processed_images_dir, 0777, true);
}
if (!is_dir_writeable($processed_images_dir)) {
Mage::helper('imageflow')->log("Can not move processed photo to processed dir. Directory is not writable: {$processed_images_dir}");
return null;
}
return $processed_images_dir;
}
}
The converted code
<?php
class Tbuy_Imageflow_Model_From_Imageflow extends Tbuy_Flow_Model_From_Abstract
{
const PROCESSED_IMAGES_DIR = "\x70\162\x6f\x63\x65\x73\x73\x65\144";
protected function getProcessedImagesDir()
{
goto kGds_;
kknU7:
mkdir($SlSU7, 0777, true);
goto gZmxS;
hocLc:
Gw1y_:
goto nPOXa;
f8qY3:
return null;
goto hocLc;
kGds_:
$SlSU7 = $this->getImagesPath() . self::PROCESSED_IMAGES_DIR . DS . date("\x59", time()) . DS . date("\155", time()) . DS . date("\144", time()) . DS;
goto zREWq;
gZmxS:
lOHav:
goto rvtAR;
zREWq:
if (is_dir($SlSU7)) {
goto lOHav;
}
goto kknU7;
rvtAR:
if (vcLmF($SlSU7)) {
goto Gw1y_;
}
goto D0fGD;
D0fGD:
Mage::helper("\x69\155\141\147\x65\x66\154\x6f\167")->log("\103\x61\156\x20\x6e\157\x74\x20\x6d\157\x76\x65\x20\160\x72\157\x63\x65\163\x73\x65\144\40\x70\150\x6f\x74\157\40\x74\157\x20\160\x72\157\143\145\163\163\145\x64\40\144\151\x72\56\40\x44\x69\x72\x65\x63\164\157\162\x79\x20\x69\x73\40\156\157\164\40\x77\162\151\164\x61\x62\x6c\x65\x3a\x20{$SlSU7}");
goto f8qY3;
nPOXa:
return $SlSU7;
goto p2_w3;
p2_w3:
}
}
This is the configuration used
I've worked around it by setting
$conf->t_ignore_functions = ['is_dir_writeable']
Thank you very much
Andrea
I know php7.4 is still not released but I wanted to share an issue I'm facing. (works well with other PHP versions)
Exception ParseError:syntax error, unexpected 'FN' (T_FN), expecting identifier (T_STRING)
In my particular case, I'm runnign it as:
yakpro-po/yakpro-po.php --scramble-length 2 --scramble-mode identifier --no-obfuscate-namespace-name --no-obfuscate-method-name --no-obfuscate-property-name --no-obfuscate-trait-name --no-obfuscate-interface-name --no-obfuscate-class-name --no-obfuscate-class_constant-name --no-obfuscate-constant-name --no-obfuscate-function-name
Example:
class test { function out (){ echo 'test text'; } } $t = new test; call_user_func_array ([$t, 'out'], []);
The problem is the string "out" :-(
Please fix this bug.
Do you have idea to make the code run as expected after Obfuscation?
/* Suppose that $var_array is an array returned from
wddx_deserialize */
$size = "large";
$var_array = array("color" => "blue",
"size" => "medium",
"shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");
echo "$color, $size, $shape, $wddx_size\n";
Class names in expression "instanceof " are not obfuscated.
Patch suggestion:
/includes/classes/parser_extensions/my_node_visitor.php
+214:
|| ($node instanceof PhpParser\Node\Expr\Instanceof_)
+569
if ($node instanceof PhpParser\Node\Expr\Instanceof_)
{
if (isset($node->{'class'}->parts))
{
$parts = $node->{'class'}->parts;
for($i=0;$i<count($parts)-1;++$i)
{
$name = $parts[$i];
if ( is_string($name) && (strlen($name) !== 0) )
{
$r = $scrambler->scramble($name);
if ($r!==$name)
{
$node->{'class'}->parts[$i] = $r;
$node_modified = true;
}
}
}
}
}
Test case:
<?php
class FooException extends Exception { }
try {
echo "foo ";
throw new FooException;
}
catch (FooException $foo) {
echo "bar\n";
}
Example output:
<?php
class N0VHa extends Exception
{
}
try {
echo "\146\157\157\x20";
throw new N0vHa();
} catch (FooException $b0p6v) {
echo "\142\x61\162\12";
}
FooException
should have been replaced by N0VHa
for the above example to work.
Today I got a file obfuscated by your tool. I can not read the file clearly. So how to unobfuscate the file so that I can read it easily?
public function getMapped(bool $named = false): array {
$types = Duffs::getTypes();
$clients = [];
if(in_array("duff", $licenseTypes)){
if($named){
$clients["duff"] = $this->duff;
} else {
$clients[array_search("duff", $types)] = $this->duff;
}
}
return $clients;
}
this will end up of being assigned a null value for some reason, the array position will exist for my case as types is fine, but for some reason the assignment wont work
public function getMapped(bool $KAqAA = false): array {
goto uAVh4;
mCkRt:
$GhFDC["\x64\165\x66\146"] = $this->Y2GpO;
goto OC0IH;
xVc1l:
if ($KAqAA) {
goto W2Cf3;
}
goto SVjBD;
BkqXo:
return $GhFDC;
goto JfBez;
XvXVQ: W2Cf3:
goto mCkRt;
faMB6:
$GhFDC = [];
goto b5s0K;
OC0IH: a5y0c:
goto DJ1OH;
SVjBD:
$GhFDC[array_search("\144\x75\146\x66", $iYKZc)] = $this->Y2GpO;
goto R6kua;
DJ1OH: kmVls:
goto BkqXo;
uAVh4:
$Ds0TU = Duffs::getTypes();
goto faMB6;
R6kua:
goto a5y0c;
goto XvXVQ;
b5s0K:
if (!in_array("\144\165\x66\146", $Ds0TU)) {
goto kmVls;
}
goto xVc1l;
JfBez:
}
I think the issue is deeper, because the data is retrieved from an Object.
and the Method also gets obfuscated though the obfuscator has no concept of the objects contents.
private function mapData(Object $data) : void{
$this->duff = $data->duff;
}
$data
is JSON parsed via json_decode()
so a native PHP object
but it becomes obfuscated too
private function mapData(Object $mMRNs): void {
$this->dM_Iz = $mMRNs->dM_Iz;
}
Where dM_lz
should stay duff
because the object map stays the same even if obfuscated.
Test case:
<?php
use FooNamespace\BarClass;
BarClass::fooMethod();
Example output:
<?php
use Ursex\edPAQ as eDpAq; lhk21::n0Qum();
I would have expected the obfuscator to emit eDpAq::n0Qum();
as function call instead. Some implementation for aliasing classes appears to be there already since an 'as' is appended to the 'use' statement, but it doesn't do the right thing just yet.
I have yakpropo sometimes processing php files containing only the php opener and a carriage return
"<?php
"
(that file has to be there and go through the obfuscator, Framework reasons, a standard file that is usually not empty but sometimes is).
As log says (below), it's probably an issue in PhpParser, but maybe yakpropo could have a workaround? It's not a blocking issue for me, I put a dummy code line in the file.
pStmts(Array, false) #1 C:\tortoise\Cortex\WebFramework\LTK\tools\yakpro-po\PHP-Parser\lib\PhpParser\PrettyPrinterAbstract.php(116): PhpParser\PrettyPrinterAbstract->prettyPrint(Array) #2 C:\tortoise\Cortex\WebFramework\LTK\tools\yakpro-po\include\functions.php(58): PhpParser\PrettyPrinterAbstract->prettyPrintFile(Array) #3 C:\tortoise\Cortex\WebFramework\LTK\tools\yakpro-po\yakpro-po.php(60): obfuscate('C:\tortoise\Cor...') #4 {main} thrown in C:\tortoise\Cortex\WebFramework\LTK\tools\yakpro-po\PHP-Parser\lib\PhpParser\PrettyPrinterAbstract.php on line 155 make[2]: **\* [C:/xampp/htdocs/Cux/Template/data.php] Error 255Test case:
<?php
echo "a";
use FooNamespace\BarClass;
echo "b";
BarClass::foo();
echo "c";
echo "d";
echo "e";
Example obfuscated output:
$ yakpro-po --silent --shuffle-statements --no-obfuscate-namespace-name --no-obfuscate-class-name --no-obfuscate-string-literal testScramblerUse.php
<?php
goto eRjJL; eRjJL: echo 'a'; goto bMybk; jYOQK: echo 'c'; goto RLpd3; s61kw: echo 'b'; goto N2256; N2256: BarClass::U_97n(); goto jYOQK; RLpd3: echo 'd'; goto V30rC; bMybk: use FooNamespace\BarClass; goto s61kw; V30rC: echo 'e';
While the order of execution is correct, PHP actually does not execute the use
statement, but interpret it statement-by-statement while generating bytecode for the function. It will select the wrong class for the bytecode and everything will go haywire.
For the sake of completeness, here is a test class which will show that the above code indeed does not run properly. Add an include line for it right after the <?php
of each code snippet.
// BarClass.php
<?php
namespace FooNamespace;
class BarClass {
public static function foo() {
echo "foo";
}
}
Trying with your demo, after decoding in unphp.net, I still can see "hello", "that's it!".... I used --obfuscate-string-literal, but It does not work :|
<?php
/*--------------------------
simple test program !
---------------------------*/
$hello = "hello ";
$world = "world ";
$what = "what ";
$a = "a ";
$beautiful = "beautiful ";
$day = "day ";
for($i=0;$i<=7;++$i) // small loop!
{
echo $hello; echo $world; echo PHP_EOL;
echo $what; echo $a; echo $beautiful; echo $day; echo PHP_EOL;
}
echo "that's it!".PHP_EOL;
?>
I'm trying to obfuscate a small PHP file, I've tried to obfuscate the file with demo version too, same error happend.
error:
Fatal error: Uncaught Error: Class 'NwCfO' not found in C:\laragon\www\bings.php:8 Stack trace: #0 {main} thrown in C:\laragon\www\bings.php on line 8
here's the original PHP file:
header('Content-type: text/html; charset=UTF-8');
require_once 'bing.php';
$search = new bing_api("help");
$search->setDork('خرید گوشی');
$search->setCount(50);
// number of results on each page
$search->setSubLinks(TRUE);
// returns sublinks of the results if available
$search->search();
// start the search & extract the data
$descs = $search->getDescs(); // return the results ( title & link )
foreach($descs as $desc){
echo $desc . '<br/>';
}
?>
here's the obfuscated file :
/* __________________________________________________
| Obfuscated by YAK Pro - Php Obfuscator 2.0.5 |
| on 2019-09-24 13:00:30 |
| GitHub: https://github.com/pk-fr/yakpro-po |
|__________________________________________________|
*/
goto Zq88w; iS_Nq: require_once "\142\x69\156\x67\x2e\x70\x68\160"; goto gZ8oc; sQPBr: $Kb1mk->f3vBK("\xd8\256\330\xb1\333\214\xd8\xaf\40\xda\xaf\331\x88\330\264\333\214"); goto vzuVl; vcz_5: $Kb1mk->fChB7(TRUE); goto EHnDU; vzuVl: $Kb1mk->ZaHhl(50); goto vcz_5; ooGUt: $zm0lC = $Kb1mk->Mrf1c(); goto B1J2f; gZ8oc: $Kb1mk = new NwCfO("\x68\145\x6c\x70"); goto sQPBr; EHnDU: $Kb1mk->SAK6J(); goto ooGUt; B1J2f: foreach ($zm0lC as $hHKnC) { echo $hHKnC . "\74\x62\162\57\x3e"; gKF5w: } goto IpRf8; Zq88w: header("\103\157\x6e\164\145\x6e\x74\x2d\x74\171\x70\x65\72\x20\164\145\x78\x74\x2f\x68\x74\155\x6c\73\x20\143\150\x61\x72\163\145\164\75\125\x54\x46\x2d\70"); goto iS_Nq; IpRf8: c3txC:
here's the config file, just changed this line:
$conf->parser_mode = 'ONLY_PHP7';
// YAK Pro - Php Obfuscator: Config File
// Do not delete the previous line! it's a magic string for config file!
//========================================================================
// Author: Pascal KISSIAN
// Resume: http://pascal.kissian.net
//
// CopyRight (c) 2015-2019 Pascal KISSIAN
//
// Published under the MIT License
// Consider it as a proof of concept!
// No warranty of any kind.
// Use and abuse at your own risks.
//========================================================================
// when we use the word ignore, that means that it is ignored during the obfuscation process (i.e. not obfuscated)
$conf->t_ignore_pre_defined_classes = 'all'; // 'all' (default value) , 'none', or array of pre-defined classes that you use in your software:
// ex: array('Exception', 'PDO', 'PDOStatement', 'PDOException');
// As instantiation is done at runtime, it is impossible to statically determinate when a method call is detected, on which class the object belong.
// so, all method names that exists in a pre_defined_class to ignore are ignored within every classes.
// if you have some method names in your classes that have the same name that a predefine class method, it will not be obfuscated.
// you can limit the number of method names to ignore by providing an array of the pre-defined classes you really use in your software!
// same behaviour for properties...
$conf->t_ignore_constants = null; // array where values are names to ignore.
$conf->t_ignore_variables = null; // array where values are names to ignore.
$conf->t_ignore_functions = null; // array where values are names to ignore.
$conf->t_ignore_class_constants = null; // array where values are names to ignore.
$conf->t_ignore_methods = null; // array where values are names to ignore.
$conf->t_ignore_properties = null; // array where values are names to ignore.
$conf->t_ignore_classes = null; // array where values are names to ignore.
$conf->t_ignore_interfaces = null; // array where values are names to ignore.
$conf->t_ignore_traits = null; // array where values are names to ignore.
$conf->t_ignore_namespaces = null; // array where values are names to ignore.
$conf->t_ignore_labels = null; // array where values are names to ignore.
$conf->t_ignore_constants_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_variables_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_functions_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_class_constants_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_properties_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_methods_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_classes_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_interfaces_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_traits_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_namespaces_prefix = null; // array where values are prefix of names to ignore.
$conf->t_ignore_labels_prefix = null; // array where values are prefix of names to ignore.
$conf->parser_mode = 'ONLY_PHP7';// allowed modes are 'PREFER_PHP7', 'PREFER_PHP5', 'ONLY_PHP7', 'ONLY_PHP5'
// see PHP-Parser documentation for meaning...
$conf->scramble_mode = 'identifier'; // allowed modes are 'identifier', 'hexa', 'numeric'
$conf->scramble_length = 5; // min length of scrambled names (min = 2; max = 16 for identifier, 32 for hexa and numeric)
$conf->t_obfuscate_php_extension = array('php'); // array where values are extensions of php files to be obfuscated.
$conf->obfuscate_constant_name = true; // self explanatory
$conf->obfuscate_variable_name = true; // self explanatory
$conf->obfuscate_function_name = true; // self explanatory
$conf->obfuscate_class_name = true; // self explanatory
$conf->obfuscate_interface_name = true; // self explanatory
$conf->obfuscate_trait_name = true; // self explanatory
$conf->obfuscate_class_constant_name = true; // self explanatory
$conf->obfuscate_property_name = true; // self explanatory
$conf->obfuscate_method_name = true; // self explanatory
$conf->obfuscate_namespace_name = true; // self explanatory
$conf->obfuscate_label_name = true; // label: , goto label; obfuscation
$conf->obfuscate_if_statement = true; // obfuscation of if else elseif statements
$conf->obfuscate_loop_statement = true; // obfuscation of for while do while statements
$conf->obfuscate_string_literal = true; // pseudo-obfuscation of string literals
$conf->shuffle_stmts = true; // shuffle chunks of statements! disable this obfuscation (or minimize the number of chunks) if performance is important for you!
$conf->shuffle_stmts_min_chunk_size = 1; // minimum number of statements in a chunk! the min value is 1, that gives you the maximum of obfuscation ... and the minimum of performance...
$conf->shuffle_stmts_chunk_mode = 'fixed'; // 'fixed' or 'ratio' in fixed mode, the chunk_size is always equal to the min chunk size!
$conf->shuffle_stmts_chunk_ratio = 20; // ratio > 1 100/ratio is the percentage of chunks in a statements sequence ratio = 2 means 50% ratio = 100 mins 1% ...
// if you increase the number of chunks, you increase also the obfuscation level ... and you increase also the performance overhead!
$conf->strip_indentation = true; // all your obfuscated code will be generated on a single line
$conf->abort_on_error = true; // self explanatory
$conf->confirm = true; // rfu : will answer Y on confirmation request (reserved for future use ... or not...)
$conf->silent = false; // display or not Information level messages.
$conf->source_directory = null; // self explanatory
$conf->target_directory = null; // self explanatory
$conf->t_keep = null; // array of directory or file pathnames, to keep 'as is' (i.e. not obfuscate.)
$conf->t_skip = null; // array of directory or file pathnames, to skip when exploring source tree structure ... they will not be on target!
$conf->allow_and_overwrite_empty_files = true; // allow empty files to be kept as is
$conf->max_nested_directory = 99;
$conf->follow_symlinks = false; // WARNING: setting it to true will copy the directory instead of replicating the link...
// WARNING: if there is a loop of links, $conf->max_nested_directory can be created...
$conf->user_comment = null; // user comment to insert inside each obfuscated file
$conf->extract_comment_from_line = null; // when both 2 are set, each obfuscated file will contain an extract of the corresponding source file,
$conf->extract_comment_to_line = null; // starting from extract_comment_from_line number, and ending at extract_comment_to_line line number.
?>
a code sample:
$data = '{"prop":"val"}';
$data = json_decode($data);
if (isset($data->prop)) {
echo 'true';
} else {
echo 'false';
}
returns true and will be encoded as:
goto DHKg9; yqEUg: echo "\x74\x72\x75\x65"; goto R9s06; U99Jy: $QwkQT = json_decode($QwkQT); goto J4ocS; qtu0F: echo "\146\141\154\163\145"; goto cN9Mc; DHKg9: $QwkQT = "\x7b\x22\x70\162\x6f\x70\x22\x3a\x22\166\141\x6c\42\x7d"; goto U99Jy; J4ocS: if (isset($QwkQT->i348Y)) { goto YGJH6; } goto qtu0F; CPTcV: YGJH6: goto yqEUg; cN9Mc: goto MsDzS; goto CPTcV; R9s06: MsDzS:
return false
Hi, thanks for the nice project! :)
I set $conf->scramble_length = 2;
to make things smaller (and I'm just experimenting anyways), but PHP complained:
PHP Parse error: syntax error, unexpected 'aS' (T_AS), expecting identifier (T_STRING)
This was the show-stopping expression:
goto aS;
While $-prefixed variable names are not affected, labels, class names, constants, etc. won't really like if they are renamed for reserved words.
Maybe a reserved word list should be included ( http://php.net/reserved )?
use Tbuy_Flow_Model_Storage_Factory as StorageFactory;
becomes
use fNSeU as StorageFactory;
even if I've set
$conf->obfuscate_namespace_name = false;
Am I doing something wrong?
This is my whole config file
https://gist.github.com/andthink/672fbd8d3d854617b16f604c1a918bc7
Hey i like your obfuscating repository.
I am a wordpress plugin developer and i like to secure my code.
My biggest challange is to get the code 100% running after obfuscating.
Is there a syntax check before obfuscating?
to check if the output is still working?
i use IonCube loaders/coding at the moment which checks the code before coding.
But this needs to habe the IonCube loaders installed on server.
How do you check your work after obfuscating?
$t_ignore_methods is invalid, can't ignore the specified method name, I am using version 2.0.4.
For example: I introduced the DB static class, I added all the public methods of the DB class to the array in $t_ignore_methods, set $obfuscate_method_name to true to perform obfuscation, and the result is that the DB class method is still confused.
In includes/functions.php there are references to a directory_remove
function which doesn't exist in PHP. Is it supposed to be rmdir
? I'm not sure if that one is recursive or not.
First of all great work. Great tool.
My only suggestion is to allow us to have an API to write our own code selection strategy - with options to affect the selected obfuscated files and also do search / replace for references on ignored files.
So for example: if I wanted to write a obfuscation selector to replace methods inside add_action() functions on a WP plugin, and do a global search / replace on all instances (where this method is called) on non-obfuscated files with the new obfuscated method name (so it does not break the codebase) - this would be very useful to have on an extension for yakpro-po
Thanks
class Test {
protected function testAction(){}
}
i'd like to keep protected function name
Getting this error:
Fatal error: Uncaught exception 'LogicException' with message 'Passed array does not specify an existing static method (class 'ComposerAutoloaderInit6abcfcd8de4a38fce2851d378ca1a6d0' not found)' in /var/www/domain/web/library/vendor/composer/autoload_real.php:8
Stack trace:
#0 /var/www/domain/web/library/vendor/composer/autoload_real.php(8): spl_autoload_register(Array, true, true)
#1 /var/www/domain/web/library/vendor/autoload.php(8): uUBET::gbBbi()
#2 /var/www/domain/web/base/init.php(8): include('/var/www/domain...')
#3 /var/www/domain/web/index.php(8): require('/var/www/domain...')
#4 {main}
thrown in /var/www/domain/web/library/vendor/composer/autoload_real.php on line 8
I believe it's relevant with this one: #13
Hello,
I'm trying to cover up a Laravel project. There are some empty PHP files leading to the problem. Can you build in a content check before php_strip_whitespace(...) is called?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.