I hate getting in to the conversations, mainly because everyone who has an opinion is so pig headed, plus I am biased as I write an obfuscator 
Having said all that, here's my thoughts: to unobfuscate obfuscated code you need someone to actually step through the code, determine what each variable does and name them appropriately. Because the obfuscated code is entirely valid PHP, it runs perfectly without any loaders. But like I say, if you want to know what it actually does, you have to go to a fair amount of effort to work it out as the variable names, function names, constant names etc. are all meaningless.
Encrypted PHP code (the stuff that requires a loader) gets loaded into memory and decrypted in memory. Once it's decrypted in memory, it's the same code as what the developer worked with. All you need to do is do a memory dump of where the code was decrypted to and you have the original code. That is why there are now some encrypters out there that will obfuscate the code first.
Releases of bytecode are not 'real, developer usable' PHP at all. I consider them, really, to be closer to obfuscated code as it's not encrypted... it's just 'changed'. Unfortunately, it still requires a loader of some sort.
So: if I weren't happy with just obfuscation, I'd go the obufscation + encryption route as a two layer system. I don't think obfuscation + bytecode release adds much more protection than either of the two separately.
They're my thoughts, anyway. |
