Thicket™ Obfuscator for PHP
How does Thicket protection compare to other solutions?
There are some competing PHP "protectors" that "encrypt" or "encode" unaltered source code. Those products require your encrypted source code to be shipped to your customer with the very code it takes to decrypt your source. Any competent PHP coder should be able to trivially execute that decoder to see your source. Worse, there are decoder tools which, amazingly enough, trivially decodes the protection of virtually every "encoder"-based PHP protection product you can get. What this means is that those encoders provide no protection at all. (Interestingly, Zend offers this useless option as part of their product).
True obfuscators such as Thicket use nonsense identifier names, making those names impossible to understand by themselves. No "decoder" exists or can be built to ungarble such names; a would-be thief will have to work hard and dig deeply into the obfuscated source code to even begin guessing what each identifier might have meant. The amazing decoder above can't undo a Thicket obfuscation.
There are those who argue that an obfuscator will not stop someone from reverse-engineering the PHP source code. (In principle, no protection scheme of any kind will stop an adversary with unlimited patience and resources but most adversaries stop when it is easier to just write their own code). Often the basis of this argument is some small piece of obfuscated code of a dozen lines, whose function is already known, and in this case the argument is right. Thicket works because in practice you are obfuscating many PHP scripts that must collectively work together, and understanding how they all work together is necessary. So the adversary must reverse engineer dozens of pages correctly to make any serious changes. This is far, far harder than reverse engineering a dozen lines. (After all, your own programmers have a hard time understanding their own application, and that's with the help of good variable names and comments, right?)
You may be tempted to try POBS or some other free obfuscator script.
You will find those scripts, while well intentioned, do not really work reliably, and
run very slowly on large PHP packages because they are based on slow PHP string hacking.
Our PHP Obfuscator works quickly and reliably on even the most arcane (if legal) PHP code,
and on very big sets of scripts.
1 | 2
Download an evaluation version