/mod_screwim

PHP Screw Improved - PHP script encryption tool

Primary LanguageCOtherNOASSERTION

PHP Screw Improved(ScrewIm) extension

GitHub license GitHub download GitHub last release GitHub closed issues GitHub closed pull requests

Information

If you can read korean, see also README.ko.md

Abstract

PHP Screw Imporved(ScrewIm) is a PHP script encryption tool. When you are developing a commercial package using PHP, the script can be distributed as encrypted up until just before execution. This preserves your intellectual property.

This extension is based from PHP screw who made by Kunimasa Noda in PM9.com, Inc.

The differences from the original PHP-screw are as follows:

  1. Improved performance by processing in memory rather than creating temporary files during decoding.
    1. Applied Sungwook-Shin's improved patch
    2. Improved performance by fixing duplicated file open (issue #4)
    3. Fixed memory leaks.
  2. Improved performance by changing memory reallocation logic when encoding or decoding large files.
  3. Only works if 'screwim.enable' option is on.
  4. Fixed memory leaks.
  5. Remove global variable. Maybe thread safe.
  6. Preventing problems that can be decompiled with php_unscrew
  7. support runtime encrypt function screwim_encrypt()
  8. support runtime decrypt function screwim_decrypt(), screwim_seed()
  9. And so on..

Description

ScrewIm is encipher a PHP script with the encryption tool.

And, at the time of execution of a PHP script, the decryptor screwim.so is executed as PHP-Extension, just before the PHP script is handed to the Zend-Compiler.

In fact what is necessary is just to add the description about php.screw to php.ini. A PHP script programmer does not need to be conscious of decrypting process. Moreover it is possible for you to intermingle an enciphered script file and an unenciphered one.

The encryption logic in the encryption tool(screwim) and the decryption logic in the decryptor(screwim.so), can be customized easily.

The normal purpose code and decryption logic included, can be customized by only changing the encryption SEED key. Although it is easy to cusomize the encryption, by the encryption SEED, it does NOT mean, that the PHP scripts can be decrypted by others easily.

License

Copyright 2022. JoungKyun.Kim All rights reserved.

BSD 2-clause

Requirement

  • PHP 5 and after (Also support PHP 7)
  • PHP zlib extension.
    Check that PHP has zlib compiled in it with the PHP script:
    <?php gzopen(); ?>
  • Unix like OS.

Installation

1. Customize encrytion / decryption

  • change the encryption SEED key (screwim_mcryptkey) in my_screw.h into the values according to what you like.
  • The encryption will be harder to break, if you add more values to the encryption SEED array.
  • However, the size of the SEED is unrelated to the time of the decrypt processing.
  • The encryption SEED key is now automatically generated from 5 to 8 arrays at configure time. Don't use my_screw.h any more. (craeted with the SCREWIM_ENC_DATA constant in config.h)
  • Encrypted scripts get a stamp added to the beginning of the file. Before building, you must change this stamp defined by SCREWIM and SCREWIM_LEN in php_screwim.h. SCREWIM_LEN must be less than or equal to the size of SCREWIM.
    • In November 2017, a php extension has been introduced that hooks up the zend_compile_file API before mod_screwim to take an encrypted file. To prevent this module, the values of SCREWIM and SCREWIM_LEN must be changed, and longer is better.
    • No matter how long you change to a string, you can not defend 100% in mod_screwim logic. It is not suitable for encrypted code distribution.
    • If you change the Magic key, it is not compatible with existing encrypted files. New encryption is required.

2. Build and install

[root@host mod_screwim]$ phpize
[root@host mod_screwim]$ ./configure
[root@host mod_screwim]$ make install

On configure, the --enable-screwim-decrypt option adds decrypt functions ( screwim_decrypt(), screwim_seed() ). This means that you can decrypt an encrypted PHP file.

If you are building for distribution, never add the --enable-screwim-decrypt option!

After the build, make sure to back up the values of the SCREWIM_ENC_DATA constant in the config.h file and the value the SCREWIM constant in the php_screwim.h file. If you forget the original source later, you can use this value to recover it.

[root@an3 mod_screwim]$ grep SCREWIM_ENC_DATA < config.h
#define SCREWIM_ENC_DATA 26501, 21882, 15211, 24181, 15060, 13145
[root@an3 mod_screwim]$ grep "define SCREWIM " < php_screwim.h
#define SCREWIM     "\tSCREWIM DATA\t"

SCREWIM_ENC_DATA values vary from time to time of build, so it is recommended to have a separate backup.

3. Test

PHP can test to see if the built module works.

[root@host mod_screwim]$ make test PHP_EXECUTABLE=/usr/bin/php

Or, if you want to test the extension you built before installing, you can do the following:

[root@host mod_screwim]$ php -d "extension_dir=./modules/" -d "extension=screwim.so" some.php

4. Configuration

Add next line to php configuration file (php.ini and so on)

extension=screwim.so
screwim.enable = 1

By default, decryption does not work, so the performance of regular PHP files is better than the original PHP Screw. The screwim.enable option must be turned on for decryption to work. See also #3

For detail on the settings, refer to the Execution item below.

5. APIs

  • (string) screwim_encrypt (string)
    • Support runtime encryption.
    • Can be used instead of tools/screwim command
    • This API is not affected by the screwim.enable option.
  <?php
  $code = <<<EOF
  <?php
  $conf['url'] = 'http://domain.com/register';
  $conf['pass'] = 'blah blah';
  ?>
  EOF;

  $data = screwim_encrypt ($code);
  file_put_contents ('./config/config.php', $data);
  ?>
  • (string) screwim_decrypt (string, (optional) key, (optional) magickey_len)
    • The --enable-screwim-decrypt option must be given at build time.
    • Support runtime decryption.
    • Can be used instead of tools/screwim command
    • When call in an environment other than CLI mode, E_ERROR occurs.
    • When not running as root privileges, E_ERROR occurs.
    • This API is not affected by the screwim.enable option.
  <?php
  $config = file_get_contents ('./config/config.php');
  echo screwim_decrypt ($config);
  ?>
  • (object) screwim_seed (void)
    • The --enable-screwim-decrypt option must be given at build time.
    • Returns encrypt seed key of current mod_screwim.so
    • Can be used instead of tools/screwim command
    • When call in an environment other than CLI mode, E_ERROR occurs.
    • When not running as root privileges, E_ERROR occurs.
    • This API is not affected by the screwim.enable option.
  <?php
  // returns follow
  // stdClass Object
  // (
  //     [keybyte] => 6b22886a0f4faa5f37783d36944d7823e707
  //     [keystr] => 8811, 27272, 20239, 24490, 30775, 13885, 19860, 9080, 2023
  //     [headerlen] => 14
  // )
  print_r (screwim_seed ());
  ?>

Command line Encryption Tool

The encription tool is located in mod_screwim/tools/ .

1. Build

[root@host mod_screwim]$ cd tools
[root@host tools]$ ./autogen.sh
[root@host tools]$ ./configure --prefix=/usr
[root@host tools]$ make
[root@host tools]$ make install # Or copy the screwim file into an appropriate directory.
[root@host tools]$ /usr/bin/screwim -h
screwim 1.0.6 : encode or decode php file
Usage: screwim [OPTION] PHP_FILE
   -c VAL, --convert=VAL convert key byte to digits
   -d,     --decode   decrypt encrypted php script
   -h,     --help     this help messages
   -H VAL, --hlen=VAL length of magic key(SCREWIM_LEN or PM9SCREW_LEN). use with -d mode
   -k VAL, --key=VAL  key bytes. use with -d mode
   -v,     --view     print head length and key byte of this file
[root@host tools]$

2. Encryptioin

The follow command creates the script file enciphered by the name of script file name .screw.

   [root@host ~]$ /usr/bin/screwim test.php
   Success Crypting(test.php.screw)
   [root@host ~]$

3. Decryption

The follow command creates the script file enciphered by the name of script file name .discrew.

   [root@host ~]$ /usr/bin/screwim -d test.php.screw
   Success Decrypting(test.php.screw.discrew)
   [root@host ~]$

Execution

Add next line to php configuration file (php.ini and so on)

extension=screwim.so

The decryption does not work by default, when loading module.

The decryption process is as follows:

  1. Open the file and verify that the beginning of the file starts with the Magic key. (Check if the file is encrypted with ScrewIm)
  2. If the file is unencrypted(If the Magic key is missing or different), return to the zend compiler without working.
  3. Once the Magic key is confirmed, return to zend compile after decoding.

Obviously encryption and decryption will degrade performance. Therefore, it is recommended to reduce the number of encrypted documents as much as possible. However, even if you do not encrypt it, opening all files to check for encryption also causes performance degradation. In particular, a large number of connections can cause serious performance degradation.

To solve this problem, mod_screwim will return to the Zend compiler without checking the Magic key if the screwim.enable option is not enabled.

Therefore, it is best to minimize the encryption as much as possible, and it is recommended to include it in php after encrypting only certain functions.

Here is how to use the screwim.enable option:

1. PHP configuration file

screwim.enable = 1

Add the above settings to the PHP configuration file(php.ini and so on). It is not recommended because it causes performance degradation when processing unencrypted php scripts.

Use this setting if there are not many connections or if there is sufficient resources.

In the CLI environment, if you can use the CLI configuration file separately from the apache module or FPM, it is recommended to add the above settings to php.ini.

2. mod_php (Apache module) envionment

Use the block to make the decryptor work on the desired path.

<Directory /path>
    php_falg screwim.enable on
</Directory>

3. PHP Cli environments

use -d option.

[root@host ~]$ php -d screwim.enable=1 encrypted.php

In the CLI environment, resource utilization is not high. If the configuration file is separate from the apache module or FPM, it is recommended that you add this option to your PHP configuration file.

4. embeded php code (Recommand)

<?php
ini_set ('screwim.enable', true);
require_once 'encrypted.php';
ini_set ('screwim.enable', false);
require_once 'normal.php';

blah_blah();
?>