What is the best php encoder software?
=========================================
http://www.freedownloadmanager.org/downloads/php_encoder_software/
http://forums.digitalpoint.com/showthread.php?t=596680
or another.
Everybody say Zend Guard. But you can decode/decript zend's files at the page http://www.showmycode.com/
I think, SourceGuardian is good. But I'm not so sure.
http://www.zendecode.com/decoding-software/
================================================
Most of these are just code obfuscators. Naturally, you can descramble all of them. It's not encryption. Obfuscated code is just harder to read, but still runnable PHP code. There is no way around it, because if the obfuscation wasn't runnable, PHP could not run the code either. Choose the one you think fits your purpose. If I had to pick one I'd go with Zend, because their product integrates nicely into their stack.
If you don't know how to "hide" your code, you have nothing worth hiding.
Yes, you can "reverse engineer" anything given enough effort. The point of a protection tool is to raise the bar so that almost everybody won't bother to try. ( Door locks on houses aren't as good as those at Fort Knox, but they keep the riff-raff out.)
When there are automatic "decoders", of course the bar gets lowered. But the real question is, what does such an automatic docoder do?
There are three basic protection methods.
Method 1: Take the source source code, and encrypt it somehow. Whether you do that with a standard encryption function, or an obscure kind of zip file, what you know is that to run the code it must be decrypted. Now you have to convince the execution engine (e.g., the Zend engine) to decrypt the software before it can be run. Either the decrypter is built into PHP (which is open source) or it must be shipped right with the encrypted software. So the decryption algorithm is lying around in an easily found place and it won't be long before somebody packages it into an "automatic decrypter" (like this amazing "automatic script decoder" pointed out by the OP.)
Method 2: Obfuscate the source code, by removing from it all basic hints that programmer use as cues to understand the code. Strip out comments. Replace well-chosen names by nonsense names. Print out the source code with the worst possible formatting one can imagine. Format constants in a way that makes them hard to understand (e.g, escape string contents in random ways, print numbers in crazy radices). What's left is valid code with the same function as the original (so it runs just fine) but is hard for a programmer to understand. True, he can invest effort to figure it out. True, this is pretty easy if you talking about 10 lines of code and you know what they do, which is the kind of counter example you often see posted as a "refutation" to this approach. However, this is much, much harder if you are facing an application consisting of dozens to hundreds of scripts each of several hundred lines; after all, programmers can barely understand software in which they have placed good cues! While one can reformat such code, what cannot be done is to write an automated decoder that puts back the key stuff needed by programmers to understand the code: good names and good comments. So a sophisticated automated attack is simply not possible. (You'll note that the amazing script decoder mentioned above doesn't offer to unscramble obfuscated code.... because it isn't mechanically possible to do that).
Method 3: Compile the source code to object code. It works pretty well if you compile to real machine code, which has resisted computer science attacks on reverse engineering pretty well for decades. It works not anywhere near as well if you compile to a "virtual machine" (PHP, Java VM, C# IL) which has a very straightforward instruction set and in which the translation from source code to the VM is relatively trivial. In this case, it is possible (and so it has been done) to write autoamted decoders to regenerate valid source text from the VM code. The resulting code may not be exactly the same shape as the original, but it has the same functionality. And, like Method 2, good comments are definitely gone. Good names may be gone; however, most compilers to VMs produce code containing such names, so unless the compiler intentionally scrambles names, regenerated source may contain those good-name cues. If the compiler does scramble names, and somebody regenerates source, the result you will get will be equivalent in effect to the results of Method2.
My conclusion is Method2 (obfuscation) is about as good as you can get, unless you have a real machine code compiler.
So, use the RoadSend compiler, or PHC, or Hip-Hop if you can get the recipient to run the result. That's not always easy; your target site has their own opinions about what they are willing to run, and in the PHP world its pretty much the Zend PHP system unmodified as that makes their support manageable.
If you can't use one of those, use a Method2-style obfuscator.
The SD PHP Obfuscator is a Method2 style obfuscator, that works will all versions of PHP4 and PHP5.
http://developers.facebook.com/hiphop-php/ Convert it into C++ -- can't get more obfuscated than that ;)
For free version, you could try at Monas free php encoder/decoder . They stored their bytecode in variable length format so it can reduce your bytecode size. it seems still in early development, but work very good.
http://www.bytesdesign.com.br/bytescode/
bytesCode php encoder