sourceguardian files decryption
So, here i'm back after a long time away...
I dont really know it this is the right place to post my problem, but i haven't found a better subforum to post in, so..
First of all: yes, i've googled around a lot...and yes, i've tried to search within all of the available topics with no success..
I explain my problem: a lawyer friend of mine called me last thursday offering me what he called a "small job". A company had opened a trial against a french programmer who tried to phisically steal one of their web servers, running a custom php application he made for the company itself. The lawyer is defending the company. They already won the first trial, therefore the french bailiffs (hope the term is right, i've googled for it..) went at the programmer's laboratory, they retrieved the webserver and they gave it to the owner (the company). Unfortunately, when the IT dept of the company tried to make some updates on the server, they discovered that the programmer made a complete encryption of all of the php source files using a freeware version of Sourceguardian 7.
The company has paid a regular invoice for the overall webserver, including all of the php programs, and the agreement between them and the programmer clearly stated that all of the necessary sourcefiles would become a company property after payment.
Now the bad part of all: they asked me to help them to decode the sourcefiles because they have big problems in order to rearrange all of their pictures db's. The company is a photographic agency working for some of the main italian newspapers and TV's, therefore their db contains about 50.000.000 pictures, all of them indexed and categorized on a mysql db whose access is managed by the damn php application which integrates another tricky "don't-know-well-what" fast indexer.
I already suggested them to call in another programmer and build another website from scrap. They will...but, unfortunately, since the pictures in the db are identified only by codenames, they cannot rearrange all of the categories because the "rosetta stone" of all of the file naming is encrypted toghether in one of the encrypted php sourcefiles...
This is the bad part.
Now the worst part: the first thing i tried was google in order to find if a sourceguardian cracker was already available somewhere..obviously with no success, otherwise i would not have been here asking for help.
I then analyzed how this encoder works and i discovered the following things:
1)The encryption should be reversible, since no key is required in order to encrypt a file and the encrypted code can be run on any server after installing in it a standard decryption extension on the apache/php engine. The extension is installed as a unique file which must be placed in the webserver's root under an "ixed" folder.
2) The encrypted file cannot be modified in any way: the header of the php document is in clear and contains a series of "if" statements in order to check if the necessary ixed files are installed on the servers: if everything is okay, then a call to sg_load() is made with an encoded string as argument. The encoded string contains the original php source plus a checksum of the overall php file, therefore the decoding extension does not decrypts the string if the file calling the decoding funcion is modified, thus avoiding a simple echo() of the function to print on the screen the decoded mess..
3)I've found a company (xxx.qinvent.com) which says that they can decode every sourceguardian file, but the customer does not trusts them because it's a chinese company, therefore they dont want to send them all of their sources...
4) Sourceguardian itself has already been called in and they declared that they will not decode the files because of their policy.
I've tried (with no success at all) to:
-debug the encoded files using netbeans but the function result is never displayed.
-coredump the apache/php engine in order to check if the decoded source is passed to the php engine in order to be executed
-perform some standard decoding (base64 and other) on the encoded string
no success at all.
I do know that everything sounds sick, but believe it or not, this is the situation..
Unfortunately, i'm not even a good programmer at all, therefore i'm not able to build a tool capable of sniffing the IPC between the php and apache, nor any eventual leak between php and the decoding extension.
Moreover, i do not really understand well how php works: i do know it's an interpreted language, but (as far as i've understood) it's possible to submit a php application as a bytecode directly to the engine, very much like java works...
Now i'm here asking for help...If someone could even only give me a suggestion of something else that i could try, or if someone has already done something similar and wants to give me a hand, i would really appreciate it.
Thanks a lot in advance.
..hoping this will not end in the idiot's corner for some reason...