If you can read korean, see also README.ko.md
PHP Screw Imporved(ScrewIm) is a PHP script encryption tool. When you are developing a commercial package using PHP, the script can be distributed as encrypted up until just before execution. This preserves your intellectual property.
This extension is based from PHP screw who made by Kunimasa Noda in PM9.com, Inc.
The differences from the original PHP-screw are as follows:
- Improved performance by processing in memory rather than creating temporary files during decoding.
- Applied Sungwook-Shin's improved patch
- Improved performance by fixing duplicated file open (issue #4)
- Fixed memory leaks.
- Improved performance by changing memory reallocation logic when encoding or decoding large files.
- Only works if 'screwim.enable' option is on.
- Improved performance by don't check magic key under normal environment(regular php script).
- See also #3 add screwim.enable ini option issue
- Fixed memory leaks.
- Remove global variable. Maybe thread safe.
- Preventing problems that can be decompiled with php_unscrew
- support runtime encrypt function
screwim_encrypt() - support runtime decrypt function
screwim_decrypt(), screwim_seed() - And so on..
ScrewIm is encipher a PHP script with the encryption tool.
And, at the time of execution of a PHP script, the decryptor screwim.so is executed as PHP-Extension, just before the PHP script is handed to the Zend-Compiler.
In fact what is necessary is just to add the description about php.screw to php.ini. A PHP script programmer does not need to be conscious of decrypting process. Moreover it is possible for you to intermingle an enciphered script file and an unenciphered one.
The encryption logic in the encryption tool(screwim) and the decryption logic in the decryptor(screwim.so), can be customized easily.
The normal purpose code and decryption logic included, can be customized by only changing the encryption SEED key. Although it is easy to cusomize the encryption, by the encryption SEED, it does NOT mean, that the PHP scripts can be decrypted by others easily.
Copyright 2022. JoungKyun.Kim All rights reserved.
- PHP 5 and after (Also support PHP 7)
- PHP zlib extension.
Check that PHP has zlib compiled in it with the PHP script:
<?php gzopen(); ?>- Unix like OS.
change the encryption SEED key (screwim_mcryptkey) in my_screw.h into the values according to what you like.The encryption will be harder to break, if you add more values to the encryption SEED array.However, the size of the SEED is unrelated to the time of the decrypt processing.- The encryption SEED key is now automatically generated from 5 to 8 arrays at configure time. Don't use my_screw.h any more. (craeted with the SCREWIM_ENC_DATA constant in config.h)
- Encrypted scripts get a stamp added to the beginning of the file. Before building, you must change this stamp defined by SCREWIM and SCREWIM_LEN in php_screwim.h. SCREWIM_LEN must be less than or equal to the size of SCREWIM.
- In November 2017, a php extension has been introduced that hooks up the zend_compile_file API before mod_screwim to take an encrypted file. To prevent this module, the values of SCREWIM and SCREWIM_LEN must be changed, and longer is better.
- No matter how long you change to a string, you can not defend 100% in mod_screwim logic. It is not suitable for encrypted code distribution.
- If you change the Magic key, it is not compatible with existing encrypted files. New encryption is required.
[root@host mod_screwim]$ phpize
[root@host mod_screwim]$ ./configure
[root@host mod_screwim]$ make installOn configure, the --enable-screwim-decrypt option adds decrypt functions ( screwim_decrypt(), screwim_seed() ). This means that you can decrypt an encrypted PHP file.
If you are building for distribution, never add the --enable-screwim-decrypt option!
After the build, make sure to back up the values of the SCREWIM_ENC_DATA constant in the config.h file and the value the SCREWIM constant in the php_screwim.h file. If you forget the original source later, you can use this value to recover it.
[root@an3 mod_screwim]$ grep SCREWIM_ENC_DATA < config.h
#define SCREWIM_ENC_DATA 26501, 21882, 15211, 24181, 15060, 13145
[root@an3 mod_screwim]$ grep "define SCREWIM " < php_screwim.h
#define SCREWIM "\tSCREWIM DATA\t"SCREWIM_ENC_DATA values vary from time to time of build, so it is recommended to have a separate backup.
PHP can test to see if the built module works.
[root@host mod_screwim]$ make test PHP_EXECUTABLE=/usr/bin/phpOr, if you want to test the extension you built before installing, you can do the following:
[root@host mod_screwim]$ php -d "extension_dir=./modules/" -d "extension=screwim.so" some.phpAdd next line to php configuration file (php.ini and so on)
extension=screwim.so
screwim.enable = 1By default, decryption does not work, so the performance of regular PHP files is better than the original PHP Screw. The screwim.enable option must be turned on for decryption to work. See also OOPS-ORG-PHP#3
For detail on the settings, refer to the Execution item below.
- (string) screwim_encrypt (string)
- Support runtime encryption.
- Can be used instead of tools/screwim command
- This API is not affected by the screwim.enable option.
<?php
$code = <<<EOF
<?php
$conf['url'] = 'http://domain.com/register';
$conf['pass'] = 'blah blah';
?>
EOF;
$data = screwim_encrypt ($code);
file_put_contents ('./config/config.php', $data);
?>- (string) screwim_decrypt (string, (optional) key, (optional) magickey_len)
- The --enable-screwim-decrypt option must be given at build time.
- Support runtime decryption.
- Can be used instead of tools/screwim command
- When call in an environment other than CLI mode, E_ERROR occurs.
- When not running as root privileges, E_ERROR occurs.
- This API is not affected by the screwim.enable option.
<?php
$config = file_get_contents ('./config/config.php');
echo screwim_decrypt ($config);
?>- (object) screwim_seed (void)
- The --enable-screwim-decrypt option must be given at build time.
- Returns encrypt seed key of current mod_screwim.so
- Can be used instead of tools/screwim command
- When call in an environment other than CLI mode, E_ERROR occurs.
- When not running as root privileges, E_ERROR occurs.
- This API is not affected by the screwim.enable option.
<?php
// returns follow
// stdClass Object
// (
// [keybyte] => 6b22886a0f4faa5f37783d36944d7823e707
// [keystr] => 8811, 27272, 20239, 24490, 30775, 13885, 19860, 9080, 2023
// [headerlen] => 14
// )
print_r (screwim_seed ());
?>The encription tool is located in mod_screwim/tools/ .
[root@host mod_screwim]$ cd tools
[root@host tools]$ ./autogen.sh
[root@host tools]$ ./configure --prefix=/usr
[root@host tools]$ make
[root@host tools]$ make install # Or copy the screwim file into an appropriate directory.
[root@host tools]$ /usr/bin/screwim -h
screwim 1.0.6 : encode or decode php file
Usage: screwim [OPTION] PHP_FILE
-c VAL, --convert=VAL convert key byte to digits
-d, --decode decrypt encrypted php script
-h, --help this help messages
-H VAL, --hlen=VAL length of magic key(SCREWIM_LEN or PM9SCREW_LEN). use with -d mode
-k VAL, --key=VAL key bytes. use with -d mode
-v, --view print head length and key byte of this file
[root@host tools]$The follow command creates the script file enciphered by the name of script file name .screw.
[root@host ~]$ /usr/bin/screwim test.php
Success Crypting(test.php.screw)
[root@host ~]$
The follow command creates the script file enciphered by the name of script file name .discrew.
[root@host ~]$ /usr/bin/screwim -d test.php.screw
Success Decrypting(test.php.screw.discrew)
[root@host ~]$
Add next line to php configuration file (php.ini and so on)
extension=screwim.soThe decryption does not work by default, when loading module.
The decryption process is as follows:
- Open the file and verify that the beginning of the file starts with the Magic key. (Check if the file is encrypted with ScrewIm)
- If the file is unencrypted(If the Magic key is missing or different), return to the zend compiler without working.
- Once the Magic key is confirmed, return to zend compile after decoding.
Obviously encryption and decryption will degrade performance. Therefore, it is recommended to reduce the number of encrypted documents as much as possible. However, even if you do not encrypt it, opening all files to check for encryption also causes performance degradation. In particular, a large number of connections can cause serious performance degradation.
To solve this problem, mod_screwim will return to the Zend compiler without checking the Magic key if the screwim.enable option is not enabled.
Therefore, it is best to minimize the encryption as much as possible, and it is recommended to include it in php after encrypting only certain functions.
Here is how to use the screwim.enable option:
screwim.enable = 1Add the above settings to the PHP configuration file(php.ini and so on). It is not recommended because it causes performance degradation when processing unencrypted php scripts.
Use this setting if there are not many connections or if there is sufficient resources.
In the CLI environment, if you can use the CLI configuration file separately from the apache module or FPM, it is recommended to add the above settings to php.ini.
Use the block to make the decryptor work on the desired path.
<Directory /path>
php_falg screwim.enable on
</Directory>use -d option.
[root@host ~]$ php -d screwim.enable=1 encrypted.phpIn the CLI environment, resource utilization is not high. If the configuration file is separate from the apache module or FPM, it is recommended that you add this option to your PHP configuration file.
<?php
ini_set ('screwim.enable', true);
require_once 'encrypted.php';
ini_set ('screwim.enable', false);
require_once 'normal.php';
blah_blah();
?>
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent