I wish he'd gone down this route further. It looks like there's code at the top of the file that "decrypts" (decodes?) the contents of the PHP file. I'd be curious why he felt this wasn't worth reversing.
I'm also curious if there's a way to dump 'disassembled' PHP after it's been loaded into the PHP processor. If it's going through eval() at the end, then shouldn't the plain-text source be available in a string somewhere?
I believe these obfuscators work by forcing you to install a binary-only .so zend extension in php.ini, which intercepts these encoded files. The files themselves should decode to already-halfway-parsed PHP opcodes or so, which is probably injected into the PHP/Zend virtual machine.
Figuring out the encoding scheme is probably a lot of boring disassembly work, which in the end just lets you decode a bunch of PHP opcodes which themselves would take a lot of work to make sense of.
I'm also curious if there's a way to dump 'disassembled' PHP after it's been loaded into the PHP processor. If it's going through eval() at the end, then shouldn't the plain-text source be available in a string somewhere?