JOURNAL OF NETWORKS, VOL. 8, NO. 10

JOURNAL OF NETWORKS, VOL. 8, NO. 10, OCTOBER 2013



Security Analysis of PHP Encoder

Yao Chunlong, Yin Fengjiao, Li Xu, and Fan Fenglong
School of Information Science and Engineering, Dalian Polytechnic University, Dalian 110634, China

2353




Abstract—As an open source server-side scripts language,
PHP is used more and more widely by Web developers now.
Protecting PHP code from being plagiarized is also a hot
research issue especially with the rapid development of
dynamic web industry and people’s copyright protection
consciousness. Usually the developers use PHP encoders to
encrypt the PHP codes before selling them out. There are
several different kinds of PHP encoders with different
performances. In this paper, we analyze and compare the
security level of some well-known encoders. From a fully
new aspect, we try to analyze the output of the encoders
with the random statistical tests, which is never done before.
Also, we demonstrate the soundness of our method. We
figure out the test suite which is most suitable for PHP
encoders and explain the reasons. Finally, we carry out the
experiments and draw a conclusion about the security of the
PHP encoders based on our results.
Index Terms—PHP, Ioncube, Zend, Statistical Test,
Randomness

I. INTRODUCTION
With the progresses of Web, more and more dynamic
web pages are developed to be used in every aspect of our
lives, such as social network sites, electronic commercial
shopping, management system and e-banking. Many of
these web sites are implemented using PHP in the server.
As a server-side scripting language, PHP is designed for
producing dynamic pages with open source. Instead of
calling an external function, PHP is embedded to the
HTML source code for processing the data. It is first
proposed in 1994 by Rasmus Lerdorf written with C
programming language. Since the first version, PHP
develops rapidly. After numerous improvements and
optimizations on the original release, it now has grown to
version 5. The PHP is interpreted by the PHP processor in
a Web server. It also can be used as independent shell on
other graphical applications, platforms and operation
systems. The PHP can be used to manage the dynamic
content, support the database, process the session tracking,
and even build the entire station for the e-commerce. It
supports many popular databases, including MySQL,
PostgreSQL, Oracle, Sybase, Informix, and the Microsoft
SQL Server.
Unlike other similar server-side scripts such as ASP
developed by Microsoft, PHP is free and obtains more
and more attention. People are aware of its practicality
gradually. Now PHP is widely used in the world. Famous
applications of PHP are Word Press, Drupal, Magento
and so on.



ฉ 2013 ACADEMY PUBLISHER
doi:10.4304/jnw.8.10.2353-2360




Due to the property of the script, the source code of
PHP is likely to expose after the release. So the PHP
source codes require some mechanisms or processing
means to prevent from view of decompiling,
unauthorized custom modifications, unauthorized usage
and re-release. PHP encoders are designed to protect the
PHP applications in the reverse engineering, unauthorized
customs, unlicensed usage and redistribution. Zend
Encoder is one of such encoders.
PHP code protection has been the core concerns of
many companies, such as some of the well-known forums
such as vBulletin, Discuz, PHPWind and ShopEx.
However, the emergence of PHP decompiling quickly
causes panic in the Zend-like companies, and even entire
PHP user group. All the related products, including
almost all of the large-scale PHP products are cracked.
And the source codes are even published. In this situation,
the Zend company has to admit that all encryption
technology have a way to break, and promise a great
improvement to provide better protection for encryption
products.
In the field of cryptography, random statistical tests are
used to verify the randomness of sequences. Each random
test corresponds to a kind of property of sequences. The
output of sequences produced with small probability in a
pre-determined distribution is considered to be not
random. The core of each test is the probability
distribution and the statistics. The statistical tests can be
constructed according to the requirements, so there are
numerous possible statistical tests. The sequence is
detected by every test. If there is a mode being found in
the sequence, this sequence is regarded to be disqualified
by the test.
Usually some of a large number of tests are picked out
to form a test package [8], which should be as few as
possible but enough to detect enough random properties
of the sequences. Because of the presence of so many
tests [9-11], choosing a proper test suite according to
detailed requirements is very important. So researchers
need to determine which tests should be included in such
a test suite to ensure its rationality [12] [20].There are
some widely-known test suites. Knuth proposed several
empirical tests in “The Art of Computer Programming”
[1], which includes the serial test, the poker test, the
permutation test, the run test, the interval test and the
birthday space test. Menezes developed five primary tests
in “Handbook of Applied Cryptography” [2], including
the frequency test, the serial test, the poker test, the run
test and the autocorrelation test. Marsaglia gave a test
suite CD called DIEHARD in [3]. Many tests are


2354



involved in this suite: the birthday space test, the
overlapping test, the permutation test, the binary matrix
test, the matrix test, the DNA test, the minimum distance
test, and so on. Gustafson published the CryptXS test
suite in [4] to measure the strength of some cryptographic
primitives. In [5], National Institute of Standards and
Technology proposed a test suite which is accepted by
most usage now [6, 7]. This test suite contains 16 tests:
the frequency test within a block, the discrete Fourier
transform test, the overlapping template, the matching
test, the Lempel-Ziv compression test, the linear
complexity test. It is also known that some tests have
some flaws so that we should use them more carefully
[18] [19].
A. Our Contribution
In this paper, we first analyze the security level of
some well-known encoders. We compare these encoders
from different aspects. We consider the security from a
new point of view by using random statistical tests. As
we know, this has not been done so far. By comparing the
randomness of the output of the encoders based on
different tests, we give more insight into several widely-
used PHP encoders. This is never done before. We also
demonstrate the soundness and effect of our method.
From some different kinds of test suite, we work out the
test suite which is the fittest to measure the PHP encoders.
Finally, we take the experiments on some PHP encoders
and explain the results. Based on the results, we draw a
more detailed and clearer conclusion about existing PHP
encoders.
B. The Organization
In Section 2, we introduce the background information
about several widely-know PHP encoders, as well as their
state-of-the-art developments. We also give a comparison
of the performances of these encoders. In Section 3, we
present more details about the random statistical tests,
especially related to what we concern in this paper. In
Section 4, we describe how to measure the security of
PHP encoders according to our new method based on the
statistical random tests. In Section 5, we focus on several
PHP encoders which are used in most applications and
analyzed deeply in this paper. In Section 6, we carry out
the experiments on several PHP encoders with our
method, and compare their results. Section 7 concludes
this paper.
II. RELATED WORK
There are several PHP encoders now. Some of them
are free of charge, while others are not. Currently the
most popular authorized PHP encryption software on the
market is mainly these two:
(1) Zend Guard by Zend Company
(2) Ioncube PHP Encoder
Other lightweight encoders include PHP screw and
PHPCodeLock. Micro-shield PHP encryption expert
(PHPCodeLock) is good PHP script encryption software,
without having to install any third-party components in
the server-side. The encrypted files can be run on any
ordinary PHP environment. This software requires no


ฉ 2013 ACADEMY PUBLISHER

JOURNAL OF NETWORKS, VOL. 8, NO. 10, OCTOBER 2013



additional costs: encrypted script can run in the ordinary
PHP 4 or PHP 5 environment on your computer and the
server without installing other components; encrypted
script can run well in Windows, Linux, and UNIX
without any changes in the Web server. The PHP safe
mode can run well and provide enough confusion, which
can defend leakage of sensitive information, such as the
password of MySQL. The algorithm starts from a unique
directory, traverse to several depth subdirectories until
the completion of covering all the files and subdirectories.
The encryption of subdirectories in a specified directory
includes file encryption support. The usage of locking the
encryption key does not only support for single or
multiple IP functions, but also