Obfuscation is not always a one click solution, when encoding and when working with Laravel there are a few things to consider. This post gives solutions to the issues that can arise when obfuscating within the context of protecting a Laravel project.

This post is a continuation from ionCube Encoding a Laravel Project: Controllers, Models and Templates. To download the files used within this example please refer to that post.

The project in this example is based from:
https://selftaughtcoders.com/from-idea-to-launch/lesson-17/laravel-5-mvc-application-in-10-minutes/
and is using Laravel 5.3.

For this example the project was located at /var/www/html/project.

Function Obfuscation

Function obfuscation turns function names into a meaningless form, and if used, calls to Laravel Helper functions such as view() would be obfuscated in the encoded controllers. Laravel would be unable to find view() by its obfuscated name and an error such as the following will be given.

To solve this, the Encoder can be given an exclusion list of the classes, functions and/or methods that should not be encoded. To ensure your obfuscated controllers work, there will need to be an exclusion list including all the Helper functions Laravel could use. We have created a laravel-excl.txt which includes all the Helper functions used within Laravel 5.3; for a newer version you may need to add to the file.

Download laravel-excl.txt file

To obfuscate using the exclusion list use the following command:

ioncube_encoder –obfuscate functions –obfuscation-key ‘[obfuscation key]’ –obfuscation-exclusion-file [exclusion file] [source directory] -o [target directory]

Specific to this example it would be:

./ioncube_encoder.sh \
--copy '*.php' \
--encode /var/www/html/project/app/Http/Controllers/ \
--obfuscate functions 
--obfuscation-key 'randomkey' \
--obfuscation-exclusion-file /var/www/html/project/laravel-excl.txt \
--replace \
/var/www/html/project/ -o /var/www/html/project_encoded/

This allows the page to be viewed as expected and still be encoded and obfuscated.

Due to Laravel using an auto loading mechanism, class obfuscation does not work as Laravel builds a list of classes to run prior to executing the code. Any obfuscated class would not be picked up by Laravel and therefore would not be run.

 

Encoding with obfuscation

  • Encode using the exclusion list of Laravel Helper functions (laravel-excl.txt)
  • Due to the autoload mechanism it uses, Laravel is not compatible with class obfuscation

ionCube Encoding a Laravel Project: Function Obfuscation
twitterlinkedinmail
Tagged on:                         

Leave a Reply

Your email address will not be published. Required fields are marked *