People are often concerned about various technologies that exist that claim to reverse the protection provided by Zend Guard. We thought it was important to address it here.
Zend Guard provides some of the best technology available to protect applications from reverse engineering but Zend has never claimed that Zend Guard is impervious to reverse engineering. Given enough time and a determined hacker, any obfuscation technology can be broken. This has been true since the first hacker decompiled binary machine code.
The first level of protection is encoding. During encoding the PHP source code is converted to a binary format that is used at runtime by the PHP engine in conjunction with Zend Optimizer. Only the encoded files are deployed and your original source code remains secured which prevents your application from being read by the casual observer. Unfortunately technologies do exist that will allow encoded files to be decoded. Due to the open source nature of PHP there is virtually no way to prevent a person from hacking at the PHP engine code to intercept the bytecode after it has been decoded for execution.
The second level of protection is obfuscation. During obfuscation the encoded files are further processed to obscure the names of classes, methods, variables and other items in the code. Obfuscation of names cannot be automatically reversed without a key that only exists on your system. However, it is still possible from someone willing to spend enough time to figure out what is going. It's a lot harder with variable names like XsddR2245as and class names like wwEgg33k55jsc but it is not impossible.
So while Zend Guard can make the job of someone wanting to steal your code/IP harder, ultimately your protection has to be provided by your end user license agreement (EULA) and whatever remedies it provides for you and your customers in the event of a legal dispute.
Director, Product Management