If asked to name brands that have trouble with fakes, you’d probably put Rolex in the top 5. You (and us) would not expect ionCube to be on any such list, yet February 2018 saw ionCube join the list of desirable brands that have to deal with fakes; yes, fake ionCube files!
The fake ionCube files are not created by ionCube software but appear to aim to do a similar thing, protecting code and duping users into thinking that they have purchased genuine ionCube files and not poor quality copies. These first appeared with hidden malware, for which they are a startlingly poor choice as most people never look at code they install so the malware could be hidden in plain site and just as effective, and any security researcher would spot a fake ionCube file in the blink of an eye.
In this article we describes the practical differences, and how to identify a fake ionCube file.
What is ionCube
Put simply, ionCube protects PHP software by turning the original program code first into a new binary form that is efficient for the computer to run but unusable for a human. This compiled code is then protected with various mechanisms making it hard to reverse engineer and figure out what the source code could have been, and particularly challenging if using ionCube features called Dynamic Keys that encrypt the code but do not store any decryption key. This is great for developers who want to protect their code from copying, and also enforcing license policies such as use on a single domain. If you own a website and to protect database passwords from someone who has access to read the code but no business knowing how to get into the database, then it’s great for that also.
How is a Fake File Different
Most crucially, a fake ionCube file will not offer the level of protection that a genuine file offers, and will merely hide the source code that they claim to protect, and this is trivially revealed. Genuine ionCube files can run on multiple versions of PHP, and while they need a plugin to be installed for PHP whereas a fake file will not, this is easily done, and most hosts provide this preinstalled for users that do not have access to do so though themselves. So there is no practical benefit from having a fake file.
What is an ionCube File, and How to Identify a Fake One
A genuine ionCube file will look something like the code below, and has a few distinct parts. The first in red is the opening PHP tag. This will always be at the start. This is followed by the text in blue, which is a number in Hexadecimal (base 16) that specifies the byte offset to the purple part. The section in green may or may not be present, and serves two purposes; one is to install the Loader on the fly, though this is a legacy feature that is not possible with PHP versions from mid PHP 5, and the other is to give a helpful message if the helper plugin mentioned above is not installed. The size should not be much larger than it is here, and may well be much smaller. The contents should be very similar to what is shown here. The purple section (lines 11-13) is the actual data of the file. This always appears after the closing PHP tag, and no <?php or ?> tags should appear within or after it.
<?php //003ab if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.subs tr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');@dl($__ln);if(function_exists('_il_exec')){return _il_exec();}$__ln=' /ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]= =':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/.. ',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i). $__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{die('The file '.__FILE__." is corrupted.\n");} if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube P HP Loader '.basename($__ln).' to be installed by the site administrator.');exit(199); ?> 4+oV5C5RcbQj1d+P0vaFTHLQxsuaXkLW1BpNzDaleM6vH07o7U1iWR7RMrYcOG6b7jyiD4FzECkl zLjku0kTmDj9DtjVOKnzFeCbMXi13sgp6yFvl4BSKsNuW0nQtgDkTahPJ0e5TQO+Opg/7YiDlnDt LNauyxx8MB1HYt7v7ssxPwnXXWsikfCjEa/JbXc0IX1BxUzCAjU8Erw5E/NcnM2PGHeJE6WCWEDM
If your file looks like this then you know you have the genuine article. If you receive a fake ionCube file we would love to see it so please pass it on, and you should not trust the source of the files or indeed the files themselves as they are being dishonest.
We’ll update this article if more information emerges and hope it helps in the war against brand fakes!
