Re: [PHP] Zend Encoder
At 18:51 25/02/2003, Thomas Johnsson wrote: 1. Zend does not have a way to decode a php file that was encoded using Zend Encoder. (For those of you paying attention to details, note the word decode, not decrypt. Zend Encoder does not encrypt. US gov't lawyers, please take note :) Are you not allowed, according to US laws, to encrypt files using something like the Zend Encoder, if that was a feature? No, it was more of a joke :) The reason the Zend Encoder does not use encryption is that it would be quite useless, as the file would have to be decrypted when it's loaded. It would then be relatively easy for a malicious hacker to take a look at the decrypted data. Instead, the contents of encoded files is simply not very meaningful to anything but the Zend Engine and Optimizer, so even if you get a hold of the data, you would still be far away from the source code. 2. Even the inherent knowledge that Zend has about our own product would not enable us to access encoded software. At most, we theoretically could develop code that could access some of the string elements in a script, but definitely not any actual code. (As a comparison, it would be like looking at a .EXE file in Windows, but even more convoluted.) Needless to say, even this minor capability has never and will never be developed or utilized by Zend. So, an encoded script does not decode to plain text and then execute? It certainly does not. There are products in the market in which the data does get restored to the original plain text in runtime, but they are inherently insecure. With Zend encoded files, the original plain text is gone for good. 3. Zend Encoder is the most secure way to deliver php code. That said, no protection scheme is absolutely 100% protected. What is the acual difference between Zend Encoder and say ioncube (http://www.ioncube.com), security-wise? I'm not familiar with the internals of the ioncube products, so I can't really answer that. I do know Zend pretty well, and nobody knows the engine as well as the ones who wrote it, so I stand behind Brad's statement :) Zeev -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Zend Encoder
Hi, Allow me to clear the air: 1. Zend does not have a way to decode a php file that was encoded using Zend Encoder. (For those of you paying attention to details, note the word decode, not decrypt. Zend Encoder does not encrypt. US gov't lawyers, please take note :) 2. Even the inherent knowledge that Zend has about our own product would not enable us to access encoded software. At most, we theoretically could develop code that could access some of the string elements in a script, but definitely not any actual code. (As a comparison, it would be like looking at a .EXE file in Windows, but even more convoluted.) Needless to say, even this minor capability has never and will never be developed or utilized by Zend. 3. Zend Encoder is the most secure way to deliver php code. That said, no protection scheme is absolutely 100% protected. Brad __ Brad Young Director, Product Marketing [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] www.zend.com http://www.zend.com Zend - The PHP Company -Original Message- From: Thomas Johnsson [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] Zend Encoder This might sound a bit paranoid, but since I don't know how it works, i'll ask anyway. If I encrypt a file using the Zend Encoder, is there anyone at zend who can view it, or it it an unreversable encryption? // Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Zend Encoder
1. Zend does not have a way to decode a php file that was encoded using Zend Encoder. (For those of you paying attention to details, note the word decode, not decrypt. Zend Encoder does not encrypt. US gov't lawyers, please take note :) Are you not allowed, according to US laws, to encrypt files using something like the Zend Encoder, if that was a feature? 2. Even the inherent knowledge that Zend has about our own product would not enable us to access encoded software. At most, we theoretically could develop code that could access some of the string elements in a script, but definitely not any actual code. (As a comparison, it would be like looking at a .EXE file in Windows, but even more convoluted.) Needless to say, even this minor capability has never and will never be developed or utilized by Zend. So, an encoded script does not decode to plain text and then execute? 3. Zend Encoder is the most secure way to deliver php code. That said, no protection scheme is absolutely 100% protected. What is the acual difference between Zend Encoder and say ioncube (http://www.ioncube.com), security-wise? Thanks for clearing the air, and sorry for polluting it with more questions :) // Thomas -Original Message- From: Thomas Johnsson [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 6:51 PM To: [EMAIL PROTECTED] Subject: [PHP] Zend Encoder This might sound a bit paranoid, but since I don't know how it works, i'll ask anyway. If I encrypt a file using the Zend Encoder, is there anyone at zend who can view it, or it it an unreversable encryption? // Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Zend Encoder
This might sound a bit paranoid, but since I don't know how it works, i'll ask anyway. If I encrypt a file using the Zend Encoder, is there anyone at zend who can view it, or it it an unreversable encryption? // Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Zend Encoder
There is not a way to encrypt something so that is is totaly, positivly, iriversable. As for someone at zend looking at them, there probably is, but they have a duty not to do anything with them. -Original Message- From: Thomas Johnsson [mailto:[EMAIL PROTECTED] Sent: Monday, February 24, 2003 11:51 AM To: [EMAIL PROTECTED] Subject: [PHP] Zend Encoder This might sound a bit paranoid, but since I don't know how it works, i'll ask anyway. If I encrypt a file using the Zend Encoder, is there anyone at zend who can view it, or it it an unreversable encryption? // Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Zend Encoder
There is not a way to encrypt something so that is is totaly, positivly, iriversable. As for someone at zend looking at them, there probably is, but they have a duty not to do anything with them. So what you are saying is that zend probably has a way of un-encoding the encoded files, if they where able to get their hands on them? I'm not saying they would, but if they could, it would be totally wrong in my opinion. As for having something 100% irreversible, even I'm not as naive to thing that ;) I know that a hacker could do it if he just set his mind to it... They just broke this encryption code... http://www.cnn.com/2003/TECH/internet/02/21/email.encryption.reut/index.html Regards, // Thomas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] zend encoder and shell
Hey, Is it possible to run zend encoded scripts from the shell prompt? Regards, Kunal Jhunjhunwala Minds think with ideas, not information. No amount of data, bandwidth, or processing power can substitute for inspired thought. - Clifford Stoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] zend encoder
hey, Any ideas on how one can encode multiple files on a windows machine?? Regards, Kunal Jhunjhunwala Minds think with ideas, not information. No amount of data, bandwidth, or processing power can substitute for inspired thought. - Clifford Stoll -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Zend Encoder
Hi, My company is looking into using the Zend Encoder to enforce licensing of some tools that I'm developing and I have a few questions that I hope someone who's used it can answer: 1) I understand that when you encode your files, they will stop working when the zend license expires. how easy is it to get them working again after you renew? do the pages need to be re-encoded from source? 2) Will files encoded on a windows machine run on linux with the zend optimizer? 3) are there any known problems with certain php modules (ming, gd, mcal) 4) are there competing products I should be looking at? thanks, - Mark -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] ZEND Encoder
Although, an interesting question would be how hidden are variable values? Such as usernames/passes, etc. Though if someone manages to get a hold of a script, encoded or not, that has usernames and passwords in it, you are probably screwed anyway ;) In such a case all usernames and passwords should be totally scrambled for security, but that can only be done if you actually find out someone got a hold of the data. But back to the topic at hand, I ponder how easy it would be to read variable declarations and values, after reducing the script to such a level. As any encrypting the Zend encoding performes requires a key to decrypt, it must be reasonable trivial for a cracker with moderate experiance in cryptography to obtain. Then you have clear text, which is the optimized code as you said. Basically PHP that's been run through a compiler. I can't imagine it's technologically possible for the Zend Encoder to do more than obfuscate the source code. Which basically means it's like taking your bank statement and ripping it into little pieces by hand. It works only on people not willing to glue the pieces together. Someone who does Encoder cracking vary often will surely be capable of doing all this much more efficiently than someone who's playing around with it. But how many people make a hobby of that? ...better to keep that rhetorical. -- Plutarck Should be working on something... ...but forgot what it was. ""James Moore"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is it possible in any instance that someone else will be able to de-code my PHP scripts once I have used the Zend Encoder on it, and be able to read it? Obviously they will be able to decode it to actually use it on the server, but will they ever be able to read the source? They will not be able to read the source as such. If they did mange to decode your script, which is unlikley then they would have Zend opcode rather than PHP Source Code which is the PHP equivilent of ASM. It would be very difficult to reconstuct your source code from this opcode and probably more hassle than actually rewriting the same functionality themselves (IE thats a no its pretty much impossible to retrive source code from encoded files). James -- James Moore [EMAIL PROTECTED] PHP Web Scripting: http://www.php.net/ PHP QA Team: http://qa.php.net/ PHP-GTK: http://gtk.php.net/ VL-SRM: http://www.vl-srm.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] ZEND Encoder
Without getting into the specifics of the zend product, which we've not tested thoroughly, I'd hazard a wild speculation that zend encoder-encoded scripts: 1. can be decoded 2. can NOT be decoded to the original source Obviously anything encoded needs to be decoded to run, and someone with enough time on their hands will be able to decode it to the point where they can understand what's going on at a low level, including any algorithms you've developed. If the machine has to be able to run the commands, some one else can eventually figure out what the machine will be doing. That's just a given. How difficult it would be would be another question, and my guess is it's not a trivial task, at least to casual users. Is it going to be decodeable to the original source code? I *highly* doubt it- it would be pretty inefficient to encode all your whitespace, comments, etc. Again, this isn't based on hands-on zend encoder experience, but experience with other compilers, Java, the APC cache product, and other similar ideas over the years. [EMAIL PROTECTED] wrote: Hi, I`m about to buy the Zend encoder from thier website and thought I better ask a pretty important question, unfortunately Zend couldn`t be bothered to follow up the lead on someone who might buy thier product so I thought I would turn to you guys to see if any of you know. Is it possible in any instance that someone else will be able to de-code my PHP scripts once I have used the Zend Encoder on it, and be able to read it? Obviously they will be able to decode it to actually use it on the server, but will they ever be able to read the source? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] ZEND Encoder
Is it possible in any instance that someone else will be able to de-code my PHP scripts once I have used the Zend Encoder on it, and be able to read it? Obviously they will be able to decode it to actually use it on the server, but will they ever be able to read the source? They will not be able to read the source as such. If they did mange to decode your script, which is unlikley then they would have Zend opcode rather than PHP Source Code which is the PHP equivilent of ASM. It would be very difficult to reconstuct your source code from this opcode and probably more hassle than actually rewriting the same functionality themselves (IE thats a no its pretty much impossible to retrive source code from encoded files). James -- James Moore [EMAIL PROTECTED] PHP Web Scripting: http://www.php.net/ PHP QA Team: http://qa.php.net/ PHP-GTK: http://gtk.php.net/ VL-SRM: http://www.vl-srm.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]