Project: Kage
Target Environment: PHP 7.4 (Zend Engine 3.4.x)
Kage is a high-performance PHP extension designed for the cryptographic protection of code. It implements Bytecode Virtualization and Native Code Virtualization to protect PHP source code and execution logic from static and dynamic analysis.
The system utilizes a layered protection architecture.
- Dynamic ISA (Instruction Set Architecture): Protected files are compiled into a unique, randomized instruction set based on a per-file 32-bit seed.
- Control Flow Flattening (CFF): The execution graph is modified via Jump Target Obfuscation. Original jump destinations are XOR-encrypted and re-linked in memory during runtime.
- Recursive Logic Obfuscation: Obfuscation of child structures, including nested functions, class methods, and anonymous closures.
- Literal Table Protection: Constant strings and numeric values are XOR-encrypted at the compiler level and decrypted JIT within protected memory blocks.
- Symbol Table Masking: Variable name indices and names in the
op_array->varstable are obfuscated to prevent information leakage through Reflection API or debuggers.
- Binary Virtualization: Core functions (
kage_raw_decrypt,kage_get_machine_id) are virtualized using VMPacker. - Interpreter-in-Interpreter: C-logic is transformed into custom VM-bytecode, preventing analysis of decryption algorithms using standard disassemblers.
Kage implements an intercept strategy:
- Interception: The entry point of protected functions is replaced with a
ZEND_NOPcarrier. - Restoration: On first invocation, the dispatcher restores native Zend handlers and unprotects the
op_arrayin-place. - Execution: Subsequent executions run at native PHP speed.
- Hardware-Locked Execution: Scripts can be bound to a specific hardware fingerprint (supports Linux
/etc/machine-idand macOSgethostname). - Integrity Validation: Header with CRC32 verification ensures that tampered payloads are blocked before execution.
- Runtime: PHP 7.4 (AMD64/ARM64 architectures).
- Dependencies:
libsodium. - Build System: CMake 3.16+, GCC 10+, or Docker.
Deploy the binary artifact:
# 1. Integrate the binary module
cp artifacts/kage_protected.so $(php-config --extension-dir)/kage.so
# 2. Configure the PHP environment (php.ini)
extension=kage.so
kage.encryption_key = "SECURE_32_CHAR_ALPHANUMERIC_KEY"Procedure to generate protected assets:
<?php
// Retrieve target system HWID for binding
$target_hwid = kage_get_machine_id();
// Encryption Workflow
$source_code = file_get_contents('production_script.php');
$master_key = "0123456789abcdef0123456789abcdef";
$encrypted_blob = kage_encrypt_c($source_code, $master_key, $target_hwid);
file_put_contents('production_script.kage', base64_decode($encrypted_blob));/c_extension: Core C-source code and Zend Engine integration./packer/VMPacker: Submodule for native virtualization (x86_64/ARM64 support)./artifacts: Pre-compiled binaries./tests: Security and stability verification suite.
Compliance is verified using tests/test_enterprise_suite.php, covering:
- ISA Uniqueness: Randomized opcode mapping.
- Performance Benchmarking: Native speed execution verification.
- Integrity Enforcement: Tamper detection and HWID lock validation.
Licensing: Proprietary.
Usage Policy: Redistribution, reverse engineering, or modification is prohibited.
Compliance: Designed for secure software distribution.