What if an attacker steals the source code of the tool?

Your application is still protected.  The tool has a large variety of mechanism, it builds code on the fly and makes extensive use of PRNG.  Decoy code can be user generated.  Access to our source code might answer an attackers one or other question, but it does not weaken the protection substantially.  But users must be careful and protect the protection logs and the source code of a protected application.