Daniel Rozsnyó: PHP LockIt! - an example of a bad product Page 1 of 6
PHP LockIt! - an example of a bad product
This report focuses on one of the weird products which you may find on the Internet and its
main purpose is to share some of my knowledge in the field of breaking simple and weak encryption
methods.
Introduction
One day, one of my friends asked me, if I can look to a product for encryption PHP files
which seems a lot more financially attractive ($29.99) than the Zend Encoder ($960 per year or
$2.400 for lifetime license). I haven’t had too much free time, so I told him to check it out on his
own, encode some files, and I will just look to the output. So he did, and I got back an encoded file.
For my surprise, the file was a usual PHP file and I instantly knew that this encryption could be
easily broken. When I told him, that this product is useless, and a beginner can break it, he did not
believe me. So I decoded the encoded file. And it took less than 10 minutes.
The software
Trial version
You may get a 30 day fully featured evaluation and demonstration version of the product at
http://www.phplockit.com/demo.php. After the installation you can encode your files (if you click
to OK in a dialog informing you that you are using the demo version everytime you start encoding).
Fig.1: The user interface
Full version
The following note is from the shopping page (http://www.phplockit.com/buy.php):
Once your payment has been made you will be sent an email giving a URL,
allowing you to download the software immediately.
I thought that there will be some hashed names, but my friend was quicker - he gave me
this link: http://www.phplockit.com/downloads/. When I went there, I saw a list of files with
hashed names. Maybe somebody forgot to turn off the Indexes... or they just want to keep the
quality of the product and the web presentation at the same level ;-)