Uninitiated people often ask questions like “How do I decode an obfuscated PHP-script?”, “Is PHP-script obfuscation safe enough?” and even like “Would you help me to deobfuscate it please, wouldn’t you?”. The main purpose of this article is to show, that obfuscators provide absolutely no protection in 90% cases (which are able to provide protection only from people, who got acquainted with programming language for the first time in their lives). It can be removed in 10 to 20 minutes, as a result you get PHP script in its original form. The rest 10% cases demonstrate slightly stronger protection, which can be removed in similar ways though. If you wish to learn how to remove obfuscation from scripts on your own, then this article is what you need!
Here is a nice PHP-code obfuscator.
[+] obfuscate variable names
[+] obfuscate function names
[+] encode static strings
[+] obfuscate built-in PHP functions names
[+] obfuscate INTEGERs
[+] compress the script
[+] archivate the script
[+] add some trash-comments
[+++] do lots of other interesting functions
The obfuscator does not support eval() and $$var_name constructions.