0

I am trying to secure my laravel project, or at least the most critical parts of it. I am planning to make it a SaaS but it will take me sometime so I was going to just encrypt most of the project. I learned about php extensions and how to build one using C++ and crypto++ for encryption and decryption. I also made a simple encryption tool using the same library.

It took me like a week to setup the extension with C++ and include all the libraries and now it's running. I wrote the decryption logic that will get the php decrypted code and then execute it. All of this with a simple function to be called in a .php file (loader_decrypt(encrypted_file_path)); but as always, nothing works the way I want :) the execution of the php code is successful, but I don't want it to be executed, I want the functions and classes inside that file to be availabe, for example:

Controller (to be encrypted):

namespace App\\Http\\Controllers; class Controller { public function hello() { echo "hello"; } }

Controller (will call a function from encrypted Controller):

<?php // Ensure the loader extension is loaded if (!extension_loaded('loader')) { die('The loader extension is not loaded.'); } // Path to your encrypted file $encryptedFilePath = 'Controller.enc'; // Execute the encrypted file if (loader_decrypt($encryptedFilePath)) { echo "Decryption and execution were successful."; // Now you can use the Controller class $controller = new Controller(); $controller->hello(); } else { echo "Decryption or execution failed."; } ?>

when add the extension to my php.ini and trying php Controller.php, it prints: Decryption and execution were successful. PHP Fatal error: Uncaught Error: Class "Controller" not found in /home/.../Desktop/Controller.php:15

this is what I mean by executing the file and not exposing its content. worth to note that i do NOT want anyone, even someone with server access to see my source code for the encrypted Controller. How can I do that ?

bool decryptAndExecuteFile(const std::string& filePath) { std::ifstream file(filePath, std::ios::binary); if (!file) { std::cerr << "Error: Unable to open file." << std::endl; return false; } // Read IV from the file SecByteBlock iv(AES::BLOCKSIZE); file.read(reinterpret_cast<char*>(iv.data()), iv.size()); // Read the rest of the file as ciphertext std::string ciphertext((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>()); file.close(); // Extract key from the ciphertext std::string key = extractKeyAndCleanCiphertext(ciphertext); // Ensure key size is correct if (key.size() != AES_KEYLENGTH) { std::cerr << "Error: Key length is incorrect." << std::endl; return false; } // Decrypt the data std::string decryptedContent = decryptData(ciphertext, key, std::string(reinterpret_cast<const char*>(iv.data()), iv.size())); if (decryptedContent.empty()) { std::cerr << "Decryption failed!" << std::endl; return false; } // Debugging: Write decrypted content to a file for inspection std::ofstream debugFile("decrypted_debug.php"); debugFile << decryptedContent; debugFile.close(); // Check for unexpected characters and clean the content std::string cleanContent; for (char c : decryptedContent) { if (std::isprint(static_cast<unsigned char>(c)) || std::isspace(static_cast<unsigned char>(c))) { cleanContent += c; } } // Debugging: Print length and first few characters of cleaned content std::cout << "Cleaned content length: " << cleanContent.size() << std::endl; // Check if the content starts with "<?php" if (cleanContent.find("<?php") != 0) { std::cerr << "Decrypted content does not start with '<?php'." << std::endl; } // Convert cleaned content to zend_string zend_string *php_code = zend_string_init(cleanContent.c_str(), cleanContent.length(), 0); int result = zend_eval_string(ZSTR_VAL(php_code), nullptr, "Decrypted PHP Code"); zend_string_release(php_code); if (result == FAILURE) { std::cerr << "Failed to execute decrypted PHP code." << std::endl; return false; } return true; }

this is the function that is responsible for decrypting and executing of the php code. Another problem that I do not know for sure what will happen is that if I found a solution for this problem, will it work with laravel ? I hope to learn more about php extensions and how to make them even more effective.

EDIT

Another thing. Other Controllers extend from this controller class. how will this work because I tried to use App\Http\Controllers\Controller; but it still couldn't find the Controller class.

<?php namespace App\Http\Controllers\Management; use App\Http\Controllers\Controller; class MemberCourseDetailsController extends Controller { public function sayHelloFromController() { $this->hello(); } }
Improve this question
6
  • 1
    Your PHP code is not correct and should throw a parse error because of the double backslashes: 3v4l.org/MrepF Commented Aug 26, 2024 at 19:10
  • 3
    Additionally, you instantiate Controller instead of \App\Http\Controllers\Controller. Commented Aug 26, 2024 at 19:12
  • sometimes I wonder how am I a software developer XD. you are correct @Olivier it now works but there is another problem. Other controllers actually extends from this Controller that loads and decrypts the encrypted controller. I will edit the question to make it more reproducible Commented Aug 27, 2024 at 8:10
  • I tried somethig which is to use require_once "path/to/Controller.php"; and it worked but just curious if there is another way @Olivier Commented Aug 27, 2024 at 9:00
  • I guess you will need to write your own autoload. Commented Aug 27, 2024 at 9:13
Load 7 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.