In this article we focus on the most powerful features that you can use to protect your code and the differences between them. We will compare standard encoding, External Keys and Dynamic Keys which offer the greatest level of protection.
Standard Encoding
For comparison, here’s how standard encoding/decoding of a file works. The encoding key is part of the file and this is the default mechanism used by ionCube and other solutions.
External Keys
External keys are separate from the encoded file and are required in order for the file to run. If the key cannot be found then the encoded file cannot be run.
The encoded file requires an external key in order to run and the contents of the file itself is used as the key value. External keys can be set as a .ini configuration file setting, the path to a file or a license property. The file doesn’t have to be a PHP file and can be located on a remote server.
Dynamic Keys
Dynamic keys are a lot more powerful than external keys as the key is generated at runtime and unlike the other methods, never exists statically. They are applied on a per function basis.
When the correct key is generated it is used to decrypt the byte code for the corresponding function but if the key or encryption method is incorrect then the encoded file will fail to run.
The encoded file contains an encrypted function which is protected by a dynamic key. The dynamic key is the value of keygen() which is used elsewhere. When the protected function is run keygen() is called and returns a value. If this is the expected value then the script will continue to run.
Multiple dynamic keys can be set allowing for infinitely increasing levels of protection. It is also highly advisable whether you use dynamic keys or not to activate the ‘Include Attack Protection’ feature to further protect you against code substitution.
We recommend making use of these great features and section 4 of our User Guide contains in depth information and basic examples on External and Dynamic Keys.
While dynamic keys are specific to your application, it can be beneficial to see an example of it in action; at least in a simple way. But beware, using example which you just cut and paste into your code is a risky action. The following is just an example to illustrate how it would look but you SHOULD apply further changes specific to your application.
Suppose in your code you have a function you want to protect called myfunc. That can be protected by a simple key as follows:
<?php
require_once("keygen.php");
// @ioncube.dynamickey kg("sha256", "randomstr") -> "55d93359950d5b9375b0eeb0f0436dbaad342f5effd893129495c5f3c7480b21" RANDOM
function myfunc() {
echo "Hello world";
}
?>
In the above the “55d93359950d5b9375b0eeb0f0436dbaad342f5effd893129495c5f3c7480b21” will be used by the encoder to encrypt the byte code of myfunc. The “RANDOM” will mean a random cryptographically secure method will be used to encrypt.
When decoding the Loader will only attempt to decode myfunc when myfunc is first called. The Loader knows nothing about the key string “55d93359950d5b9375b0eeb0f0436dbaad342f5effd893129495c5f3c7480b21” but instead makes the function call kg(“sha256”, “randomstr”) which should obtain the key. (A key specifying function like kg can take string constants as arguments.) Whatever it gets as the result of that function call it will use to decrypt the byte code of myfunc. Since the Loader does not know what the key is supposed to be, or what the byte code of myfunc should look like, a crash could occur if the computed key does not match the key used to encrypt.
In keygen.php you would have something like:
<?php
function kg($hasher,$randstr)
{
return hash($hasher,$randstr);
}
?>
Even though that is a very simple example of a key, it is a very powerful means of code protection. You, of course, should devise your own dynamic key functions. The downsides are that setting up dynamic keys is labour intensive and, as true encryption is used, it will have an impact on performance. To mitigate that second point you can use “BASIC” instead of “RANDOM” in the above example, which mangles the byte code rather than truly encrypts it.
Dynamic keys are even stronger if they use the state of the program (such as global variables, external files etc) to obtain their results.
Thanks for reading and for more tutorials on the Keys features available in ionCube please see the article links below.
How to setup Dynamic Keys in ionCube Encoder
How to setup a simple External Key in ionCube Encoder
