Thoughts on Code Obfuscation

I just wanted to get everyone's thoughts on Code Obfuscation here for both themes an plugins? I bought a plugin and "developer" rights to it to use it on client sites, and I want to tweak it a bit to fit my workflow a little better, but when I opened the plugin files there is a bunch of gobbledygook in there.

Is it right for me to try to de-obfuscate it? And if it is, where would I go to even start learning how to do it. I don't want to post the code publicly because I am not trying to share it or remove the protection or anything, I just want to make it work for me a bit better.

Thanks for your help.

  • Tom Eagles
    • Syntax Hero

    The plugin is encoded right (base 64?)

    The best thing would be is to carefully check what exactly the developer rights allow you to do. Do they allow reverse engineering (ie unencoding, modification then re encoding) It may be that you would have to re encode it to protect their code with your modifications. Personally with developer rights i would have wanted the source i had the rights to be unencoded.

    Just go back to them check exactly what you can and cant do with it to cover your own bases.

    As far as seeing it in themes and plugins then it's a way of an author protecting his works and intellectual property rights.

    Just a lot of people tend to worry when they see encoded material in a plugin or theme.

  • successfulgeek
    • Site Builder, Child of Zeus

    Thanks @tom.eagles for your insight on that. They say they don't allow unencoding/reverse engineering and just wondering how that works with Wordpress being GPL and all?

    I think it is base 64 encoded but if it was I think it was run through the process a couple times because normal base 64 encoding is very easy to reverse. This is a little more complicated.

  • maxaud
    • The Crimson Coder

    I hate it when they do that.

    Often times I'll be like "Oh, that's almost what I need.. I'll get it and modify the code.."
    later find out that it's obfuscated and have to go through that process.

    You'll also want to make sure you're getting the plugin from the actual seller as a lot of times most reputable sellers of plugins and themes wont do this and it's sometimes a sign of a few things..

    1) they're doing something you don't want them to..
    this could be a call to home, insertion of links, creating a backdoor, etc..

    2) They've ripped the plugin or theme off from somewhere else and they've changed it to insert their links in somewhere and are making it hard to remove them.

  • Dean Kaus
    • The Bug Hunter

    Great observations @maxaud Very valid points. @successfulgeek I would first go back to the sales page and verify whether or not they make claims that allow for customization to blend in or work with other sites.

    The next thing I would do was let them know that I was under the impression upon purchase that I'd be able to make changes to match mine or my clients sites with developer rights. If it is their policy to not allow me to make the changes, then I would request either that they make the changes and keeping their intellectual property safeguarded. Or give me the ability to have the portion of the code I need to change un-obfuscated. Or lastly give me a refund as I can't truly develop as promised with their product as is.

    I may be wrong in my thinking but If I was led to believe that I had developers rights and the right to customize... Just sayin...

  • Tom Eagles
    • Syntax Hero

    @successfulgeek @maxaud is spot on with the checking that they are an authorised seller.

    What surprises me the most is that they have given you the development rights but dont allow you access to the source which kind of makes it somewhat difficult to do what you want to do with it.

    What does their Development rights actually offer you as a client?

    Have you ever used a nice little plugin called TAC? I have it installed on my wordpress and it scans all themes to check for anything unexpected such as embedded static links and encrypted code etc.

    I dont know of such a program for plugins though.

    @Dean Kaus is bang on aswell, i would be back to them already, normally when purchasing a DEV version of a product you normally have access to the source, most often the main restriction is not to remove credits of the original author similar to a gpl license.



  • Tom Eagles
    • Syntax Hero


    One last thing, I have seen it on a few themes or plugins where the so called "Development" license really only means that you can install it on more than one site, in which case it may not be legally possible to modify it under their license terms.

    Re Reading your Original post makes me think that this could possibly be the case.

  • Dean Kaus
    • The Bug Hunter

    @successfulgeek what site did you purchase it from? Also if your comfortable naming the plugin or what it does. Possibly someone else here ha had experience with the developer, the company who sold it or better yet have an alternate solution for you.

    i actually had a question about a plugin and had slightly complained that I couldnt get it to work with my theme. Turns out another member knew the developer and he sent me the solution. Anyway signing off for the night have an early meeting....

  • Timothy
    • Chief Pigeon

    If its for WordPress then under the GPL it should be GPL with the exception of images and CSS which can have alternative licensing.

    Me personally, I hate encoded code, if it's base64 then there are tons of free tools to decode it.

    And loads more. Sometimes one will work and others won't.

    If it's ioncube then you'd need other methods.

    As mentioned above this is often done on ripped off plugins, we get people doing it with ours. Sometimes they encode nasty little surprises in there and then steel your data.

    We've had people come to us before expecting us to support code they downloaded via some blackhat type forum. They think it's our job to support code they downloaded elsewhere which is now causing them problems.

    The same happens for other companies, you get the same with Woothemes, Elegant Themes and loads more (people reselling dodgy copies of their products), would I trust em.... Nah, it's just not worth the risk.

    Take care.

  • successfulgeek
    • Site Builder, Child of Zeus

    They are the authorized seller. It is called WPNotepad and looking through things the "developer" license gives me the right to install it on client sites, which is useful. It didn't say anywhere I would have the right to modify it. I still wish I could tweak it a little bit though, but I can get it to do what I want I found out.

    Here are the rights that I have with my license.

    You can install this plugin on UNLIMITED DOMAINS that you PERSONALLY OWN.
    You cannot edit the plugin in any way.
    You cannot sell, distribute, or give away the plugin in any way, other than installing it on their site for them.
    You can manually install this plugin on your CLIENT'S SITES.
    You can include this plugin when FLIPPING your site.

    And it is definitely encoded with more than just base64 @Timothy

    They aren't doing anything malicious, they are just protecting their codebase, it is still annoying though and making me want to search for an alternative.

    Gravity Forms 1.7 will do what I need it to do once 1.7 comes out but that could be another year.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.