IonCube encoder has obfuscation options for classes, methods, functions, and local variables. You have to set an obfuscation key (obfkey) and select the names you desire to obfuscate. So, after running the encoder the selected names of the source code are converted into bytes based on an encryption process (the obfkey is converted in md4 and it modifies the base64 name’s string etc). For example the name “exec” could be converted into “0D3B3E0A0129021E0C321B10380F3718340D31173E0722”. The obfkey is stored in the encoded file and we can retrieve it. We use a huge dictionary with names and convert them into obfuscated values with the provided obfkey and compare them with the stored bytes. If the bytes are the same, we have found the original name!

Sometimes, it is not possible to recover the obfuscated names. The decode file(s) will work or not? It depends on the names that are not deobfuscated. If the obfuscated name is a function name and this function is defined with the same obfuscated name then running the source code is not a problem at all. The code will read the function. The problem exists when an obfuscated name is orphan. That means there is no way for PHP to recognize this name. We fix that by deobfuscating all encoded files in the script!