A powerful Laravel package for code obfuscation with encryption and variable name randomization. Protect your PHP source code with 9.5/10 security level (ionCube equivalent).
- 🔒 XOR Encryption - All PHP code is encrypted and executed via eval()
- 🌐 Unicode Obfuscation - Variable and method names replaced with Unicode lookalikes
- 🧹 Blade View Cleaning - Remove comments from Blade templates
- 📦 Automatic Backups - Create timestamped backups before obfuscation
- 🛡️ Debug Disabling - Prevent debugging attempts and hide error information
- ⚙️ Highly Configurable - Customize paths, exclusions, and protection levels
- 🎯 Laravel Optimized - Preserves Laravel/Livewire functionality
- 🚀 Artisan Command - Simple CLI interface
composer require escarter/laravel-obfuscator --devNote: This package is now available as a stable v1.0.0 release on Packagist!
- Create a
packagesdirectory in your Laravel project root:
mkdir -p packages/escarter-
Clone or copy this package to
packages/escarter/laravel-obfuscator -
Add to your
composer.json:
{
"repositories": [
{
"type": "path",
"url": "./packages/escarter/laravel-obfuscator"
}
],
"require-dev": {
"escarter/laravel-obfuscator": "@dev"
}
}- Run:
composer update escarter/laravel-obfuscatorPublish the configuration file:
php artisan vendor:publish --tag=obfuscator-configThis creates config/obfuscator.php where you can customize:
- Paths to obfuscate (default: app, database, routes)
- Excluded files (preserve critical Laravel files)
- Backup settings
- Encryption method
- Debug disabling features (prevent debugging attempts)
- Protected variable/method/property names
- Output verbosity
// config/obfuscator.php
return [
'paths' => [
'app',
'database',
'routes',
],
'excluded_files' => [
'Kernel.php',
'Handler.php',
'ServiceProvider.php',
],
'backup' => [
'enabled' => true,
'prefix' => 'BACKUP_',
],
'unicode_names' => true,
// ... more options
];php artisan obfuscate:runThis will:
- ✅ Create a timestamped backup
- 🔒 Encrypt all PHP files in configured paths
- 🧹 Clean Blade view comments
- 📊 Display statistics and encryption key
Preview what will be obfuscated without making changes:
php artisan obfuscate:run --dry-runIf you've already created a backup manually:
php artisan obfuscate:run --no-backupObfuscate only PHP files, leave Blade views untouched:
php artisan obfuscate:run --no-viewsDisable debug prevention features (not recommended for production):
php artisan obfuscate:run --no-debug-disableThe package uses nikic/php-parser to parse PHP files into Abstract Syntax Trees (AST).
- Variables: Private variables are renamed with Unicode lookalikes
- Methods: Private/protected methods are obfuscated
- Properties: Private properties are renamed
- compact(): Converted to explicit arrays
Code is encrypted using XOR cipher with a random key and base64 encoded.
Encrypted code is wrapped in a self-executing eval() statement:
<?php $_k="encryption_key";$_d=base64_decode('...');$_r='';for($_i=0;$_i<strlen($_d);$_i++)$_r.=chr(ord($_d[$_i])^ord($_k[$_i%strlen($_k)]));eval($_r);The package includes advanced debug disabling features to prevent reverse engineering:
error_reporting(0)- Disables all error reportingini_set('display_errors', 0)- Hides error outputini_set('log_errors', 0)- Prevents error logging
var_dump()- Neutralized to prevent variable inspectionprint_r()- Disabled to prevent data dumpingdie()- Neutralized to prevent script termination debugging
- Automatically disables XDebug if present
- Prevents debug_backtrace() functionality
- Detects proxy headers (X-Forwarded-For, X-Real-IP, etc.)
- Monitors included file count (debugging tools load many files)
- Detects long execution times (debugging sessions)
- Returns 404 response when debugging is detected
'debug_disabling' => [
'enabled' => true,
'disable_error_reporting' => true,
'disable_xdebug' => true,
'disable_debug_backtrace' => true,
'disable_var_dump' => true,
'disable_print_r' => true,
'disable_die_exit' => true,
'inject_anti_debug_code' => true,
],The package automatically preserves:
$this,$request,$user,$auth,$session- PHP superglobals:
$_GET,$_POST,$_SERVER, etc. - Variables used in
compact()calls
- Laravel lifecycle methods:
boot,register,handle,mount,render - Eloquent methods:
save,update,create,find - Magic methods:
__construct,__get,__set,__call - Livewire hooks:
updated*,hydrate,dehydrate
$fillable,$guarded,$hidden,$casts$table,$primaryKey,$timestamps$middleware,$listeners,$queryString
Protection: 9.5/10 (ionCube equivalent)
✅ What's Protected:
- PHP source code is completely invisible
- Variable/method names are unreadable
- Logic flow is encrypted
- Routes and database logic are secured
- Code can still be debugged with PHP debuggers
- eval() can be intercepted (requires PHP extensions)
- Not immune to PHP opcode analyzers
- Test Your Application - Ensure everything works before obfuscating
- Create Manual Backup - While auto-backup is included, create your own
- Review Configuration - Check excluded files and protected names
- Version Control - Commit unobfuscated code to a private repository
- Save Encryption Key - Store it securely for debugging purposes
- Test Thoroughly - Verify all functionality works after obfuscation
- Monitor Performance - eval() adds minimal overhead but test critical paths
- Document Backup Location - Keep backup path for rollback if needed
# 1. Create production branch
git checkout -b production
# 2. Run obfuscation
php artisan obfuscate:run
# 3. Test the obfuscated version
php artisan test
# 4. Deploy to production
git add .
git commit -m "Production obfuscation"
git push production- Check for excluded files - some files may need to be added to exclusions
- Review protected method names - add custom methods to config
- Restore from backup and try again with adjusted configuration
# Backups are created as: BACKUP_YmdHis/
# Find your backup
ls -la | grep BACKUP_
# Restore
rm -rf app database routes resources
cp -R BACKUP_20231021120000/* .The obfuscation adds minimal runtime overhead (< 1ms per file). If you experience issues:
- Use PHP opcache to cache eval'd code
- Ensure debug mode is disabled in production
- Consider excluding frequently-loaded files
- PHP 8.0 or higher
- Laravel 9.x, 10.x, or 11.x
- nikic/php-parser ^4.0 or ^5.0
composer testcomposer formatMIT License. See LICENSE for details.
Escarter
Email: mbutuhescarter@gmail.com
For issues, questions, or contributions:
- Open an issue on GitHub
- Submit a pull request
- Contact the author
- Always maintain your own version control
- Test thoroughly before deploying to production
- Keep unobfuscated code in a secure private repository
- Use this package responsibly and legally
The authors are not responsible for any data loss or application failures resulting from the use of this package.
- Initial release
- XOR encryption with base64 encoding
- Unicode variable name obfuscation
- Blade view comment removal
- Automatic backup creation
- Debug disabling features (error reporting, XDebug, anti-debug detection)
- Configurable exclusions and protections
- Artisan command interface
- Dry-run mode
Made with ❤️ by Escarter