Decoding Encoded PHP Codes Part I

Okay its the first part of the script. The second part was published earlier. That time I kept place for this post. And here it is.Its another script that I got from a Guy. This time he was trying to crack the script. 🙂  He didnt want to buy another so need to crack it.Well I am not a cracker, that guy sent me the script over messenger and told me “what type of script it is??”. I saw it and felt why not decode it.

The script was encoded many times iteratively. So I had to decode it that way to get the final output. I wrote a console php application to decode it. I’ll give you the script at the end of this post.

The script I got was something like following. I shortened it so that it fits my post.


As you can see its base64 encoding and gz compression which took place to obfuscate. I just echo the $x; and found this.

?><? eval(gzinflate(base64_decode('DZbHDsTWDUV/JTvbmIV6Q+IY0lPvvW0CSaPeRxq
='))); ?><?

Note there are something special about this code.

  1. php ending (?>) and starting (<?) tag is attached to the end and start.
  2. there is an eval() call.

Beside these the whole script is same!! The “?><?” part is harmless. I dont have to worry about it. My target is to replace the eval() call by a variable. something like usingi “$y=(gzinflate(base…” instead of “eval(gzinflate(base…”. See! Its a little change. I did it with the following code.

$x[0]=" "; // was '?'
$x[1]="\$"; // was '>'
$x[2]="y"; // was '<'
$x[3]="="; // was '?'
$x[4]=" "; // was ' '
$x[5]=" "; // was 'e'
$x[6]=" "; // was 'v'
$x[7]=" "; // was 'a'
$x[8]=" "; // was 'l'

What I am doing here is just replaceing the “?><? eval” with ” $y= “. After that the whole string ($x) will be like. I am accesing the string by index because its faster and I still dont konw how many iteration I need.

$y=   (gzinflate(base64_decode('DZbHDsTWDUV/JTvbmIV6Q+IY0lPvvW0CSaPeRxq1r8/
E3GHguUHN9Xf5mxQUH61z+8Z+z8='))); ?><?

Now If I eval this code which is inside $x variable, I’ll get the new value. Lets see what it is. Just execute eval($x). I got this.

?><? eval(gzinflate(base64_decode('DZa1DsQIEkR/ZbPdlQMz
AgAIAha51nezgidtHNmcERfsXo/w=='))); ?><?

Hey, Its the same thing again. Ha ha. So lets make a loop and do it iteratively. see the following code.

while(strpos($x,"eval")!== false){
$len = strlen($x); // Current length of the code
echo "[".($i+1).":$len]".PHP_EOL.$x.PHP_EOL;
// Echoing the code.
$x[0]=" ";
$x[4]=" ";
$x[5]=" ";
$x[6]=" ";
$x[7]=" ";
$x[8]=" ";
// Puting the code in $y by this call.
$x = $y; // Substituting the previous code by the new one.

The idea is I’ll loop through the code as long as I find there is an eval() call. If there is an eval() call I’ll just remove the eval and put the code to some other variable. So it wont get eval()<code/>ed but will be saved. Its done by eval($x) Then for iteration I am substituting my previous code (cause I dont need it anymore).

If you execute the code you’ll see the length of the code is reducing in each iteration. Also you’ll get lots of output. When the loop breaks, you know that there is no eval() call. That means there is no dynamic code execution. But there might be base64_decode or gzinflate()</code>. Why not check it? The last code was saved in $x. So lets echo $x.

In my case the output was the actual code that was written. Here is a sample code from there.

echo "<html>\n";
echo "<head>\n";
echo "<title>Ilegal Script</title>\n";
echo "</head>\n";
echo "<body>\n";
echo "<h1 align=\"center\"><font face=\"Verdana\" color=\"#FF0000\">Ilegal Script</font></h1>\n";
echo "<p align=\"center\"><font face=\"Verdana\"><b>Sorry! The license for this script is not avaliable for this domain ( $domain_name

So. At last its decoded.

Well things can be different. There is no gurranty that you’ll get the actual code in this stage. There can be further decoding.

Here is my final code that did the trick.

while(strpos($x,"eval")!== false):
$len = strlen($x);
echo "[".($i+1).":$len]".PHP_EOL.$x.PHP_EOL;
$x[0]=" ";
$x[4]=" ";
$x[5]=" ";
$x[6]=" ";
$x[7]=" ";
$x[8]=" ";
$x = $y;
echo ($i+1).":".PHP_EOL.$x.PHP_EOL;

Happy De-obfuscation.:)