Decoding Encoded PHP Codes Part I

Okay its the first part of the script. The second part was published earlier. That time I kept place for this post. And here it is.Its another script that I got from a Guy. This time he was trying to crack the script. 🙂  He didnt want to buy another so need to crack it.Well I am not a cracker, that guy sent me the script over messenger and told me “what type of script it is??”. I saw it and felt why not decode it.

The script was encoded many times iteratively. So I had to decode it that way to get the final output. I wrote a console php application to decode it. I’ll give you the script at the end of this post.

The script I got was something like following. I shortened it so that it fits my post.

$x=gzinflate(base64_decode('DdZFDsQGEkDRq2SXRF6YSQORmZm9GZkZ2tS2Tz99g1Lp61X9899
Q7byNLFFQPhOl/mVjRGf1oqHbcM6dllwFWTOBSW9s+skpCLM4WeTHX66NGnpmN3nIVOz4fMi9gUX
Hskmh9jS8zpkJ9DGohZbcYBuA/rwBqtl8UAt2xbOgSRkI5TvwfO4DUpTvtI0d1S06jUIpAzPLGv3sef8t
CjvR6Ceibo6PVE+Cc5QrAOmG9pfJglOZG58soOau2cal17Vl4vj34zUFuzWPzJ4Z+gI7MkuWpPUT4PH
CCVl6AIatNthVl5O7CSlOlX9kWrihG3aeQsQqRZAinFdVncZxVwYwBK8nzkm2XQ1/ZQpO/BwKzEpqxo
4A9dpX9okTd80CNZxfIEg/AJUCrzUf/78+++///XHP78n8P8='));

As you can see its base64 encoding and gz compression which took place to obfuscate. I just echo the $x; and found this.

?><? eval(gzinflate(base64_decode('DZbHDsTWDUV/JTvbmIV6Q+IY0lPvvW0CSaPeRxq
1r8/sCRLE4bng/9zz//Ko9s+LN+2qkasr38M8+2ksT9y6L+V3++QefZgiOYrQu1Ca2+BMR4y4oZ0
ZogcFJPx2BSJQuAZPiGTfT4TBL1eggAlirCq8OXSDstfIfYFyGX5+nHYMPmdeCZ+dR3fwZkFe0M
cvm5o5HZGtWYZuMQKbyqdv3LptjIbhH5UjreQDxYtde4GFE3GHguUHN9Xf5mxQUH61z+8Z+z8
='))); ?><?

Note there are something special about this code.

  1. php ending (?>) and starting (<?) tag is attached to the end and start.
  2. there is an eval() call.

Beside these the whole script is same!! The “?><?” part is harmless. I dont have to worry about it. My target is to replace the eval() call by a variable. something like usingi “$y=(gzinflate(base…” instead of “eval(gzinflate(base…”. See! Its a little change. I did it with the following code.

$x[0]=" "; // was '?'
$x[1]="\$"; // was '>'
$x[2]="y"; // was '<'
$x[3]="="; // was '?'
$x[4]=" "; // was ' '
$x[5]=" "; // was 'e'
$x[6]=" "; // was 'v'
$x[7]=" "; // was 'a'
$x[8]=" "; // was 'l'

What I am doing here is just replaceing the “?><? eval” with ” $y= “. After that the whole string ($x) will be like. I am accesing the string by index because its faster and I still dont konw how many iteration I need.

$y=   (gzinflate(base64_decode('DZbHDsTWDUV/JTvbmIV6Q+IY0lPvvW0CSaPeRxq1r8/
sCRLE4bngP9zzKo9s+LN+2qkasr38M8+2ksT/9y6L+V3++QefZgi/OYrQu1Ca2+/BMR4y4oZ0ZogcFJPx2BSJQuAZPiGTfT4TBL1eggAlirCq8OXSDstfIfYFyGX5+nH
YMPmdeCZ+dR3fwZkFe0Mcvm5o5HZGtWYZuMQKbyqdv3LptjIbhH5UjreQDxYtde4GF
E3GHguUHN9Xf5mxQUH61z+8Z+z8='))); ?><?

Now If I eval this code which is inside $x variable, I’ll get the new value. Lets see what it is. Just execute eval($x). I got this.

?><? eval(gzinflate(base64_decode('DZa1DsQIEkR/ZbPdlQMz
6WBlZo95bCcnMzP762/CzlrV9arrn//++58jPp/6reZiz7ZCSpOtILD/5U
U25cVff4pxKvOTq/A+C6ppuTXVh9byYSN4xjjDj0roMHq2hNehyBvzF
AgAIAha51nezgidtHNmcERfsXo/w=='))); ?><?

Hey, Its the same thing again. Ha ha. So lets make a loop and do it iteratively. see the following code.

$i=0;
while(strpos($x,"eval")!== false){
$len = strlen($x); // Current length of the code
echo "[".($i+1).":$len]".PHP_EOL.$x.PHP_EOL;
// Echoing the code.
$x[0]=" ";
$x[1]="\$";
$x[2]="y";
$x[3]="=";
$x[4]=" ";
$x[5]=" ";
$x[6]=" ";
$x[7]=" ";
$x[8]=" ";
eval($x);
// Puting the code in $y by this call.
$x = $y; // Substituting the previous code by the new one.
$i++;
}

The idea is I’ll loop through the code as long as I find there is an eval() call. If there is an eval() call I’ll just remove the eval and put the code to some other variable. So it wont get eval()<code/>ed but will be saved. Its done by eval($x) Then for iteration I am substituting my previous code (cause I dont need it anymore).

If you execute the code you’ll see the length of the code is reducing in each iteration. Also you’ll get lots of output. When the loop breaks, you know that there is no eval() call. That means there is no dynamic code execution. But there might be base64_decode or gzinflate()</code>. Why not check it? The last code was saved in $x. So lets echo $x.

In my case the output was the actual code that was written. Here is a sample code from there.

echo "<html>\n";
echo "<head>\n";
echo "<title>Ilegal Script</title>\n";
echo "</head>\n";
echo "<body>\n";
echo "<h1 align=\"center\"><font face=\"Verdana\" color=\"#FF0000\">Ilegal Script</font></h1>\n";
echo "<p align=\"center\"><font face=\"Verdana\"><b>Sorry! The license for this script is not avaliable for this domain ( $domain_name
)</b></font></p>\n";

So. At last its decoded.

Well things can be different. There is no gurranty that you’ll get the actual code in this stage. There can be further decoding.

Here is my final code that did the trick.

$x=gzinflate(base64_decode('DdZFDsQGEkDR.....'));
$i=0;
while(strpos($x,"eval")!== false):
$len = strlen($x);
echo "[".($i+1).":$len]".PHP_EOL.$x.PHP_EOL;
$x[0]=" ";
$x[1]="\$";
$x[2]="y";
$x[3]="=";
$x[4]=" ";
$x[5]=" ";
$x[6]=" ";
$x[7]=" ";
$x[8]=" ";
eval($x);
$x = $y;
$i++;
endwhile;
echo ($i+1).":".PHP_EOL.$x.PHP_EOL;

Happy De-obfuscation.:)