Dezend makes this totally useless...

[teranom]

I was going to buy Zend guard this week, but one of my friends told me about Dezend. At the beginning I didn't believed him, but he sent me the program, and told me I can test it myself.

I've tried zend guard trial with all obfuscating (max) options, and made my encrypted php. then tried Dezend, and surprisingly, it decoded all my data, without any problem.

I strongly suggest Zend, to include the compiled state of code into encoded php, as any encryption that should be decrypted, and be used in php framework. but when you store only compiled stage of your code, its impossible to restore your code, and at the best condition, it can be *ONLY* disassemble, that is useless in almost all ways.

I'm really looking forward to here official zend response about this...

[kentatzend]

Zend Guard provides some of the best technology available to protect applications from reverse engineering but Zend has never claimed that Zend Guard is impervious to reverse engineering. Given enough time and a determined hacker, any obfuscation technology can be broken. This has been true since the first hacker decompiled code.

The first level of protection is encoding. During encoding the PHP source code is converted to a binary format that is used at runtime by the PHP engine in conjunction with Zend Optimizer. Only the encoded files are deployed and your original source code remains secured which prevents your application from being read by the casual observer. Unfortunately technologies do exist that will allow encoded files to be decoded. Due to the open source nature of PHP there is virtually no way to prevent a person from hacking at the PHP engine code to intercept the bytecode after it has been decoded for execution and then turning that back into text.

The second level of protection is obfuscation. During obfuscation the encoded files are further processed to obscure the names of classes, methods, variables and other items in the code. Obfuscation of names cannot be automatically reversed without a key that only exists on your system. However, it is still possible from someone willing to spend enough time to figure out what is going. It's a lot harder with variable names like XsddR2245as and class names like wwEgg33k55jsc but it is not impossible. How well obfuscation works depends a bit on your code. For a simple hello world type example it is not that effective. For a well designed OO based application it is much more effective.

So while Zend Guard can make the job of someone wanting to steal your code/IP harder, ultimately your protection has to be provided by your end user license agreement (EULA) and whatever remedies it provides for you and your customers in the event of a legal dispute.

Kent Mitchell
Director, Product Management

[databank]

Damm, we're almost done with our php project, prepared to market and sell it zend encoded

I should have anticipated that any interpreted language can be decoded,
as long as you have more files in your prjoect and use php's include() function, php has to store variable names.
as long as there is eval() with dynamic content, obfuscation might not work, also obfuscation don't get along with function_exists() etc. etc.

for these and other reasons php IS NOT and CAN NOT be compiled into machine code that runs standalone
if protected code would be machine code, wouldn't need php and/or zend optimizer installed anymore, it would run directly and not trough php

if it would compile to machine code and run standalone, there would not be any restrictions like open_basedir in effect, anyone could play with machine code and make it run code that is not normally allowed through php

it is very possible that the php code you encode today is unbreakable ... until tomorrow

[sophiefl]

Hello,

I have a few PHP applications that I develop..

... and normally (for the last few years) I have been encrypting the source code with both ioncube and zend guard.

However... I am wondering if both options are really needed?

For example, I have never seen a web server where Zend Optimizer was installed and Ioncube did *not* work.

On most web hosting servers, Ioncube loaders are installed as part of the standard software... but Zend Optimizer is not installed.

What do you think?

Has the time come when I don't need to distribute my applications in both Ioncube *and* Zend encoded versions?

Thanks for any advice or thoughts/opinions.