ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder

External / dynamic keys

Author Message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Thu Apr 22, 2021 7:12 am    Post subject: External / dynamic keys Reply with quote

Hello,
is it possible to use external / dynamic keys when you encode through the command line interface? I haven't found any information in the manual.

I also have another, more general question about external / dynamic keys: according to the introduction in chapter 4 the idea is to avoid having the encryption key in the encrypted file itself. I understand that and external keys do exactly this. I don't get, however, how dynamic keys increase security: in this case the key is actually (at least in one of the option) IN the file itself.

Let's take your example:

Code:
// Using the value of a variable as the dynamic key.
// @ioncube.dk $x -> "58" RANDOM
function myfn($a)
{
 [Code body for myfn]
}
$x = 53;
$x += 5;
myfn($v); // First call to myfn – successful decoding depends
on the value of $x.


The key here is 58 and it's in the file, am I missing something? And in which case $x won't be 58? It will always be 58 if you run this code. I understand that a potential attacker, here, should run the code to try to get the key but I can't see why running the code should be problematic. Again, probably I am missing something.

Thanks!
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2804

PostPosted: Sun Apr 25, 2021 12:10 pm    Post subject: Reply with quote

Hi Eugenio

Dynamic keys is directed by source code comments as per your example, and external keys can be specified via the command line; the GUI launches the Encoder to encode, so all encoding operations that the GUI does can be achieved by the command line. Section 4.2 has details.

For security, Dynamic Keys can substantially overcome the weakness of decryption keys being stored in the encoded files themselves. In the early days, encoding was essentially bytecode compilation with some encoding of the bytecode. This is where most compiled solutions remain today and was very effective at the time, but after some years a Chinese group called the Blue Wind developed a decompiler for PHP bytecode, and although that wasn't an issue at the time, introducing new challenges to reverse engineering is important. Recognising that stored keys is a weakness, we set about thinking of ways to remove the need for having a decryption key stored as this can dramatically change the approaches needed for reverse engineering, and led to Dynamic or algorithmic keys.

The aim should be to write key generators where even if the source is available to a hacker, working out what the key will be is as challenging as possible. As an example, consider the difference between a key generator that returned 42 and one that used indirection and returned the value of $$p, where $p is a global. In parallel with conceiving of new security mechanisms we also think of ways to defeat them, and there are of course approaches that a reverse engineer could use in trying to unravel the mechanism, but there is a leap in effort and complexity and it's proven very effective. As it turns out, external keys has also been, and as they are easy to add we recommend always to use external keys too.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Tue Apr 27, 2021 5:49 pm    Post subject: Reply with quote

Thanks liaison, after having read your post, everything is more clear.

I still have some doubts about dynamic keys though:

1) You mentioned in your example $$p, but the documentation says that variable variables are not allowed, am I missing something?

2) Let's say that I include in my program a .php file containing the most important functions and I want to encode the whole file instead of the individual functions. This should decrease a little bit security and increase a little bit performances, am I right? I am not sure, however, why I should comment also the first function of the file and about this aspect: can the dynamic key of the first function be totally different respect to the one I used for the script?

3) As far as I have understood, I cannot use dynamic keys on a script that does not contain any user defined functions, right? The only way is by prepending a script but this can be done only via .htaccess, php.ini or in general using webserver configurations. Can I do it via PHP code? For example would it work by setting auto_prepend_file via ini_set()?

Thanks!
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2804

PostPosted: Tue May 04, 2021 11:53 am    Post subject: Reply with quote

The idea would be to use var vars in a key generation function, where you can do anything you want.

The whole file dynamic key is for all code that isn't in a function, so you can cover your point 3. Having both a file level dynamic key and some for selected functions could be a good idea.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Tue May 04, 2021 5:47 pm    Post subject: Reply with quote

liaison wrote:
The idea would be to use var vars in a key generation function, where you can do anything you want.


Oh, ok, I see.

liaison wrote:
The whole file dynamic key is for all code that isn't in a function, so you can cover your point 3. Having both a file level dynamic key and some for selected functions could be a good idea.


I still don't understand here, I think the manual explicitly says to add the comment also to the first function of the file, and that's not clear.

In my case, I was wondering if I can use dynamic keys for all the functions in a file (it's a functions file included in another, main, file) without having to add the comment to each single function.

Best,
Back to top
View user's profile Send private message
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2804

PostPosted: Wed May 05, 2021 11:53 am    Post subject: Reply with quote

A key specification must be added for each function you want to have a dynamic key.
_________________
Community Admin
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Wed May 05, 2021 12:00 pm    Post subject: Reply with quote

Ok, thanks. Then I think the manual is not clear with the example I mentioned before.
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Sat May 29, 2021 11:33 am    Post subject: Reply with quote

Sorry I re-open this thread because I am still confused about how dynamic keys work for a whole script.

The manual says:

Dynamic keys can also be used for entire scripts. A dynamic key specifier will apply to the entire script if it occurs before all other key specifiers in the script and, in addition, another dynamic key specifier occurs before the first function

Also in your example, you have this comment
// The dynamic key specifier immediately below will apply
// to the script as there is another specifier before
// the first function.


So let's say I have a script without any function definition, only containing this code:

echo 'test';

if I add the dynamic key specifier at the beginning of the script, will it correctly work? What do you mean with "another dynamic key specifier occurs before the first function"?

If the script above, instead, also has class definitions, does this change something?

If the above script includes other scripts having class/function definitions, does this change something?

Thanks
Back to top
View user's profile Send private message
eugenio



Joined: 05 Feb 2016
Posts: 17

PostPosted: Tue Jun 15, 2021 3:18 pm    Post subject: Reply with quote

Any hint? The documentation is really not clear here.
Back to top
View user's profile Send private message
braxtonleo



Joined: 03 Aug 2021
Posts: 1

PostPosted: Tue Aug 03, 2021 7:57 am    Post subject: Reply with quote

I have not written anything for window in five years, and now thinking about it too much makes my head hurt.
I need the “Numpad +” key, when pressed, to see if the focused window’s name is “WinName1”, or “WinName2” and if so capture the “+” and send an “F9”. But if the focused window’s name is “WinName3”, or “WinName4” capture the “+” and send a “down arrow”. Otherwise just send the “+”

Our sales order software has the data entry clerks “10 keying” (very fast) and “mouseing”(disruptive) at the same time. This program will move the keyboard accelerators to the 10 keypad.

I am hoping starting this will be trivial to someone.

Thanks

------------------------------
www.talhacollection.com/
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> ionCube PHP Encoder All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum