How to Secure PHP Code with the Open‑Source screw‑plus Extension

Introduction

In commercial PHP projects the source code can be exposed because PHP is interpreted. Encrypting and obfuscating the code with the open‑source screw‑plus extension can mitigate this risk.

PHP Extension Lifecycle

The PHP extension has four main lifecycle hooks: MINIT, MSHUTDOWN, RINIT, RSHUTDOWN, corresponding to the function pointers in zend_module_entry .

<code>int (*module_startup_func)(INIT_FUNC_ARGS);   /* MINIT() */
int (*module_shutdown_func)(SHUTDOWN_FUNC_ARGS);   /* MSHUTDOWN() */
int (*request_startup_func)(INIT_FUNC_ARGS);   /* RINIT() */
int (*request_shutdown_func)(SHUTDOWN_FUNC_ARGS);  /* RSHUTDOWN() */</code>

These hooks allow custom code to run at each stage.

Hook Table

PHP core provides many rewriteable hooks, for example:

<code>// AST, Zend/zend_ast.h:
void (*zend_ast_process_t)(zend_ast *ast)

// Compiler, Zend/zend_compile.h:
zend_op_array *(*zend_compile_file)(zend_file_handle *file_handle, int type)
zend_op_array *(*zend_compile_string)(zval *source_string, char *filename)

// Executor, Zend/zend_execute.h:
void (*zend_execute_ex)(zend_execute_data *execute_data)
void (*zend_execute_internal)(zend_execute_data *execute_data, zval *return_value)

// GC, Zend/zend_gc.h:
int (*gc_collect_cycles)(void)

// TSRM, TSRM/TSRM.h:
void (*tsrm_thread_begin_func_t)(THREAD_T thread_id)
void (*tsrm_thread_end_func_t)(THREAD_T thread_id)

// Error, Zend/zend.h:
void (*zend_error_cb)(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args)

// Exceptions, Zend/zend_exceptions.h:
void (*zend_throw_exception_hook)(zval *ex)

// Lifetime, Zend/zend.h:
void (*zend_on_timeout)(int seconds)
void (*zend_interrupt_function)(zend_execute_data *execute_data)
void (*zend_ticks_function)(int ticks)</code>

screw‑plus Extension

The extension source tree includes files such as aes.c , decode.c , php_screw_plus.c , and a Makefile . In php_screw_plus.h a macro defines the secret key used for encryption:

<code>#define CAKEY "FwWpZKxH7twCAG4JQMO"</code>

The tools/screw.c script builds a command‑line tool that traverses files and applies screw_encrypt or screw_decrypt functions.

Encryption Process

Compute the MD5 of CAKEY ; the first 16 bytes become enTag and are written to the file header.

Write the original file length to bytes 16‑31 of the header.

Encrypt the remaining data in 16‑byte blocks using AES‑CBC with the MD5‑derived key.

Append the encrypted payload to the file.

Decryption Process

The decryption performs the inverse operations, restoring the original PHP source in a temporary file before execution.

Extension Integration

During module initialization the original zend_compile_file pointer is saved and replaced with a custom pm9screw_compile_file . On shutdown the original pointer is restored.

<code>PHP_MINIT_FUNCTION(php_screw_plus)
{
    CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;
    org_compile_file = zend_compile_file;
    zend_compile_file = pm9screw_compile_file;
    return SUCCESS;
}

PHP_MSHUTDOWN_FUNCTION(php_screw_plus)
{
    CG(compiler_options) |= ZEND_COMPILE_EXTENDED_INFO;
    zend_compile_file = org_compile_file;
    return SUCCESS;
}</code>

The custom compile function checks the file header; if it matches the stored MD5 tag it decrypts the content, writes it to a temporary file, and passes it to the original compiler.

Advantages and Limitations

Simple, free, open‑source solution compared with commercial products.

Security relies on the secrecy of CAKEY ; if the key is exposed, the protection is lost.

Possible Improvements

Apply additional packing or upx to the generated .so to increase reverse‑engineering difficulty.

Derive a more complex key from multiple values instead of a single constant string.

Conclusion

The screw‑plus extension demonstrates a practical method to encrypt PHP code at runtime, offering a lightweight protection mechanism while highlighting the importance of key management.