An obfuscator, minifier and packer for PHP files.

Tags: PL

phppack will attempt to turn your entire multi-file PHP project into a single .php file of largely unreadable garbage, that can still be executed with the same result. It combines an obfuscator, minifier, compressor and packer.

phppack includes source code from nikic/PHP-Parser under the terms of the BSD license. As a demonstration, phppack is also distributed obfuscated and encoded along with all its dependencies.


  phppack [options] [--] [file1.php [...]]

  --compress                      Compress packed output
  --dump-tokens {output.txt}      Write all detected tokens to file
  --filelist {list.txt}           Process every file in list.txt
  --handler {name}                Set internal name for handler and class
  --mangler=short|nilt|dbqp       Select mode for generating nonsense words
  --no-obfuscate                  Do not obfuscate packed files
  --no-pack                       Obfuscate one file only, do not pack.
  --strings=rand|rot13|uuenc|none Select mode for string constants in file
  --whitelist {token}             Don't obfuscate single token
  --whitelist-tokens {input.txt}  Don't obfuscate all tokens in file
  --whitelist-autoload {path}     Don't obfuscate filenames found within path

PHP is obviously a dynamic language. The obfuscator works by replacing tokens in source code. If tokens are used in dynamic contexts then the replacement might be incorrect. This issue is more likely to impact code that uses variable variables, __get, dynamic variables or reflection. You can identify incorrect replacements by reading errors from running your program, and mark the tokens as whitelisted on a successive invocation of phppack.

A large whitelist is generated based on your existing PHP environment. This ensures that built-in constants and functions can still be called.

Tokens are irreversibly encoded using your choice of mangling function. The mangling is preserved throughout the entire project, so you must run phppack on your entire source code and all dependencies simultaneously. Alternatively if you do not wish to mangle certain files (e.g. GPL files), you can use the --dump-tokens and --whitelist-tokens options to minimise the impact (increase compatibility, reduce obfuscation).

String constants are reversibly encoded using your choice of encoding: either none (best compatibility, no runtime performance penalty), uuenc (smallest filesize), rot13, or a deterministic random choice of several functions (best obfuscation). A string constant containing a known token is replaced with its mangled token name above. This has some false positives but in general is sufficient to make things like array_filter([], 'strlen') work correctly.

If you are packing multiple files together, a virtual filesystem is created with a stream wrapper. Your application will appear to reside within base://_/ and the wrapper will attempt to require the first packed file. Files not containing any PHP tokens are embedded without modification. You can use the --compress option to reduce the size of the generated package file.

You can pack a file that has already been packed with phppack by using the --handler option to choose a different nonconflicting protocol.

See Also

  • nikic/PHP-Parser -
  • phar, a packer for multiple PHP files, now part of PHP core -