This repository has been archived on 2020-05-03. You can view files and clone it, but cannot push or open issues or pull requests.
phppack/README.md

57 lines
3.7 KiB
Markdown
Raw Permalink Normal View History

2014-12-30 08:06:06 +00:00
# phppack
![](https://img.shields.io/badge/written%20in-PHP-blue)
An obfuscator, minifier and packer for PHP files.
Tags: PL
phppack will attempt to turn your entire multi-file PHP project into a single `.php` file of largely unreadable garbage, that can still be executed with the same result. It combines an obfuscator, minifier, compressor and packer.
phppack includes source code from nikic/PHP-Parser under the terms of the BSD license. As a demonstration, phppack is also distributed obfuscated and encoded along with all its dependencies.
## Information
```
Usage:
phppack [options] [--] [file1.php [...]]
Options:
--compress Compress packed output
--dump-tokens {output.txt} Write all detected tokens to file
--filelist {list.txt} Process every file in list.txt
--handler {name} Set internal name for handler and class
--mangler=short|nilt|dbqp Select mode for generating nonsense words
--no-obfuscate Do not obfuscate packed files
--no-pack Obfuscate one file only, do not pack.
--strings=rand|rot13|uuenc|none Select mode for string constants in file
--whitelist {token} Don't obfuscate single token
--whitelist-tokens {input.txt} Don't obfuscate all tokens in file
--whitelist-autoload {path} Don't obfuscate filenames found within path
```
PHP is obviously a dynamic language. The obfuscator works by replacing tokens in source code. If tokens are used in dynamic contexts then the replacement might be incorrect. This issue is more likely to impact code that uses variable variables, `__get`, dynamic variables or reflection. You can identify incorrect replacements by reading errors from running your program, and mark the tokens as whitelisted on a successive invocation of `phppack`.
A large whitelist is generated based on your existing PHP environment. This ensures that built-in constants and functions can still be called.
Tokens are irreversibly encoded using your choice of mangling function. The mangling is preserved throughout the entire project, so you must run `phppack` on your entire source code and all dependencies simultaneously. Alternatively if you do not wish to mangle certain files (e.g. GPL files), you can use the `--dump-tokens` and `--whitelist-tokens` options to minimise the impact (increase compatibility, reduce obfuscation).
String constants are reversibly encoded using your choice of encoding: either none (best compatibility, no runtime performance penalty), uuenc (smallest filesize), rot13, or a deterministic random choice of several functions (best obfuscation). A string constant containing a known token is replaced with its mangled token name above. This has some false positives but in general is sufficient to make things like `array_filter([], 'strlen')` work correctly.
If you are packing multiple files together, a virtual filesystem is created with a stream wrapper. Your application will appear to reside within `base://_/` and the wrapper will attempt to `require` the first packed file. Files not containing any PHP tokens are embedded without modification. You can use the `--compress` option to reduce the size of the generated package file.
You can pack a file that has already been packed with `phppack` by using the `--handler` option to choose a different nonconflicting protocol.
## See Also
- nikic/PHP-Parser - https://github.com/nikic/PHP-Parser/
- `phar`, a packer for multiple PHP files, now part of PHP core - http://php.net/manual/en/book.phar.php
## Download
- [⬇️ phppack_r99.zip](dist-archive/phppack_r99.zip) *(253.62 KiB)*
- [⬇️ phppack_r99.packed.zip](dist-archive/phppack_r99.packed.zip) *(42.88 KiB)*