De-obfuscate and reverse engineer PHP malware
When run with "-R" flag, it tries to replace the code that indirectly-names variables with the "true name", the result of the indirection, of the variable.
Changes to keeping arrays in the symbol table: actually create PHP arrays from the parse trees, instead of just creating a string representation of arrays.
There's also some changes around executing functions like strrev(), str_rot13(), etc. Code no longer makes a distinction between 1- and 2-argument functions, as it uses parse tree to create an array of arguments, and calls the specified function via call_user_func_array().
This latter change also makes it easier to use external decoder functions, because they can have arbitrary numbers of arguments.
Handle $GLOBALS peculiarities.
A few minor cleanups, some added zoo/ test cases, and the ability to deal with one or more create_function() invocations.
Files from my CVS repository. This is just a "marker" release, to preserve a consistent set of files at a point in time.