# True Tamper-Proofing: ionCube / SourceGuardian

## Why the obfuscated snippet isn't enough on its own

The `build_obfuscated.php` approach (merged into `app/helper/app.php`,
gzip+base64 wrapped) stops **casual** removal — someone skimming files
for "license" or "verify" won't spot it, and it's woven into a file the
script can't run without. But it's still plain PHP underneath. Anyone
who runs it through a deobfuscator or just adds `file_put_contents`
right before the `eval()` to dump the decoded source can read and
strip it in a few minutes if they're motivated enough.

For real protection you need to stop shipping **readable PHP** at all.
That's what ionCube and SourceGuardian do.

## What they actually do

Both compile your PHP source into encrypted bytecode. The client's
server can only execute it if it has the matching **loader** (a free
PHP extension) installed — it cannot be opened, edited, or read as
text. There's no "view source" to strip a license check out of,
because there's no source to view.

| | ionCube Encoder | SourceGuardian |
|---|---|---|
| Cost | ~$200–400/yr depending on tier | ~$225–350/yr |
| Loader availability | Pre-installed on almost all shared hosting (cPanel/WHM, Plesk) | Widely available, slightly less universal than ionCube |
| Licensing features built in | Yes — domain locking, expiry dates, IP locking, remote license server calls, all built into the encoder itself | Yes — similar feature set |
| Ease of use | Very common in the SMM panel / script-selling space already | Also common, some prefer it for performance |

Most commercial PHP scripts you've probably bought yourself (panels,
plugins, nulled-protection systems) use one of these two. ionCube is
the more common choice specifically in the SMM panel reseller market.

## How the workflow looks

1. **Buy an ionCube Encoder license** (anthropic.com can't do this
   step for you — it's a paid third-party tool at ioncube.com).
2. **Pick which files to encode.** You don't have to encode the whole
   54MB script — encode the core files that matter most:
   - `app/init.php`, `app/helper/app.php` (bootstrap — can't run without them)
   - `index.php`
   - `cronjobs/master_cron.php` and the other cron files
   - Leave `.twig` templates and CSS/JS alone — encoding those buys
     you nothing and bloats the package.
3. **Build the license check directly into the encoder's licensing
   API** — ionCube has its own built-in call-home/expiry/domain-lock
   system (`ioncube_license_check()` style functions) you can use
   *instead of or alongside* your `verify.php` server. This means the
   check is inside the encrypted bytecode itself, not a separate file
   at all.
4. **Confirm the client's host has the ionCube Loader.** Nearly every
   shared host does by default (check via a phpinfo() page or ask
   their host to enable it — it's a one-click cPanel toggle on most
   providers). This is the only real friction point with this
   approach.
5. **Ship the encoded files in place of the plaintext ones.** Your
   `admin`, `views`, assets, etc. stay normal PHP/Twig — only the
   core enforcement files are encoded.

## Realistic recommendation

Given you're actively reselling, a practical stack is:

- **Free tier (what you already have):** the obfuscated
  `license_core_source.php` merged into `app/helper/app.php` +
  duplicated in `cronjobs/master_cron.php`. Stops 95% of clients who
  wouldn't think to look for it.
- **Paid tier (worth it once you have real revenue at stake):**
  ionCube-encode the same handful of core files, using ionCube's own
  license API for the enforcement, so there's no readable PHP for
  anyone to edit at all.

Nothing makes a script running on someone else's server 100%
unbeatable forever — but obfuscation + encoding together puts you
well ahead of what almost all resold PHP panels actually do, most of
which ship a single obviously-named `license.php` that gets deleted
in five seconds.
