"Jerry" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
> I have always been a little bit reluctant to use obfuscators since the > source code does not actually disappear and it should not be too > difficult to find the correct patterns and algorythms to map and > restore the scrambled code. One could possibly write a good piece of > code that would do exactly that. I don't know what you mean by "restore the scrambled code" after obfuscation. The comments are gone, so no tool or person can restore them without essentially simply guessing. The identifier names are meaningless, and restoring them to something sensible means you pretty have much have to understand what the code is doing in order to choose a good name. So I don't think you can write a "tool" to do this at all. (Another poster observed that you *can* use a tool to reformat obfuscated text so its block structure is visible. Our tool also can format and so can be used for that purpose too, but the real value in the obfsucation is the removal of comments and scrambling of names). If you have a really small applicaiton, obfuscation won't "hide" it very well. If you have a really big application, in our opinion, the number of names that have to regenerated becomes pretty daunting for would-be reverse-engineer. > Instead the e.g. ioncube encoder really encodes the scripts and > requires only one file (the "runtime-loader") to be uploaded along > with the encrypted scripts onto the server to make the scripts > executable. Since the scripts run as a compiled application they are > even faster than unencrypted PHP scripts. So, this seems an > interesting alternative to me. "Encoding" the script doesn't prevent reverse engineering. It just raises the effort level required to decode it. (I'll cheerfully admit it raises it somewhat higher than obfuscated source.) Ultimately, if somebody wants to reverse engineer your code, they can. So the real question is, what's enough protection? Most people don't use a bank vault locks on their front door. Deadbolts are good enough for the majority. > Costs: Your obfuscator costs US$150.00. The ioncube encoder starts at > US$199.00 Personally, I find it's worth the difference. OK. Everybody makes their choice. We chose to provide source obfuscation because while you may have a customer for your PHP source code, you can't always tell your customer what he must run on his server. Of course, if your customer *wants* to run with a PHP compiler, he can do that with obfuscated source, too, but now it is his choice, not yours. > What is your take on that? > Thank you for your help and opinion. > > Jerry -- Ira D. Baxter, Ph.D., CTO 512-250-1018 Semantic Designs, Inc. www.semdesigns.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
