I'm a php developer and currently searching for software to protect php code. I know there exist obfuscators and encoders (and both).. but it seems that it's possible to "decrypt" code encoded with some software.
So my question is.. if it is possible to decrypt source code produced by major software companies (zend, ioncube, sourceguardian).. why that produts are still on market?
Why these software continues to sell if anyone can (pay to) decrypt everything in seconds?
Btw, i asked this on ioncube forum and my message was.. deleted.
regards.
The answer simply reduces to: because there are dumbasses stupid enough to believe that PHP can be "securely encoded", the same way there are people stupid enough to believe that requiring a serial code for an application automatically makes it secure.
ionCube relies on a pretty simplistic implementation - XOR from start to finish, which is hardly a "security measure". It runs as a VM - and is vulnerable to all VM side-channel attacks in addition to flat-out reverse engineering (one presentation here: https://media.blackhat.com/ad-12/Saher/bh-ad-12-stealing-from-thieves-Saher-slides.pdf ). Will ionCube say so? No. Why? Because it dissuades the large majority of script kiddies.
I am not familiar with sourceguardian, but Zend is built in the same fashion, albeit a bit more secure and harder to beat than ionCube. However, whilst they're not trivial, they're not impossible to beat, either.
The following is taken from the Zend Guard page:
Encoding is a process where the PHP source code is converted to an intermediate machine readable format. This format is hard for humans to read and convert back to source code. As a result it protects your code from casual browsing. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes.
In other words, if your user is not casually browsing, this will not hold up. I don't know about you, but I do not know a single non-dev who casually browses source code without the purpose of understanding it, and often, breaking it.
The same thing is true of every single DRM method around. However, they're still on the market. Why? Because, whilst they are not perfect, they're good enough to dissuade the large majority of people.
The law and final word of this is: if you build it, expect it to be broken and plan for it.