Here's a great story by Collin O'Dell, maintainer of league/commonmark amongst other things, on how he was able to extract the class definitions out of obfuscated PHP source files.

Per the framework's license, decrypting the IonCube-protected code was not allowed. This meant it was impossible to recover the original source code. However, I could require those files and execute them in PHP, which would cause those classes to become usable in code. So how does one figure out what code just got loaded & executed?