From bf1328836729e0d46303fd5539e2348d651095ef Mon Sep 17 00:00:00 2001
From: Gabor Gyorvari <scr34m@gmail.com>
Date: Sun, 17 Jul 2022 08:17:20 +0200
Subject: [PATCH] Nested function call pattern update

---
 definitions/patterns_raw.txt | 5 +++--
 definitions/patterns_re.txt  | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/definitions/patterns_raw.txt b/definitions/patterns_raw.txt
index fde3486..9dd7be7 100644
--- a/definitions/patterns_raw.txt
+++ b/definitions/patterns_raw.txt
@@ -391,5 +391,6 @@ Array("1207", "3gso", "4thp", "501i", "502i", "503i", "504i", "505i", "506i",
 # eval url decoded string
 eval(rawurldecode('
 
-# simple obfuscated gzuncompress
-'gz'.'unc'.'ompress'
\ No newline at end of file
+# simple obfuscated function
+'gz'.'unc'.'ompress'
+'create'.'_'.'function'
\ No newline at end of file
diff --git a/definitions/patterns_re.txt b/definitions/patterns_re.txt
index a0a482c..b4f465c 100644
--- a/definitions/patterns_re.txt
+++ b/definitions/patterns_re.txt
@@ -95,7 +95,7 @@ eval\(\$[a-z0-9_]+\(\$_POST
 ("[a-z0-9]+"\.chr\(\d+\)\.){3,}
 
 # nested function call used variables
-\$[a-z]+\(\$[a-z0-9]+\(
+\$[a-z0-9_]+\(\$[a-z0-9_]+\(
 
 # GLOBALS inject with escaped content
 \$GLOBALS;\$\{"\\x