I think that there should be no way of getting to your CGI sources, and that if they willingly locked you out of their systems any attempt to retrieve them bypassing the locks would be frankly illegal.

If I had sold a program that the user cannot modify, I'd have thought of a way to remotely check software integrity, like a hidden GET parameter showing your name in a not-so-evident fashion and a file digest for the running script (see Digest::SHA1, for instance), so that you can stand up in court and demonstrate that:

• You are the actual software author
• The script they run was illegally modified

Just my $0.02