Decode obfuscated PHP source code
Question
How can I rewrite each file into readable code?
For example in the source code there's variables like this:
${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";
How can I convert that into readable code such as:
$somevariable = "somevalue";
5 answers
solution1
4 ACCPTED 2011-11-05 13:33:26
That's not UTF8, that's just some obfuscation someone thought of to make the script less readable. You can convert every string to its character representation. For instance \\x41 means 'captial A'.
You don't have to convert these values yourself. When you echo the string, it will show its actual value.
The accolades are just a way to use a string value for a variable name, so ${'foo'} = 10; will set the variable $foo to 10.
In your case, you got a script that's messing with your globals.
<pre><?php
//${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";
echo
'It means: ' .
'${"' . "\x47\x4c\x4f\x42\x41\x4cS" .
'"}["' . "y\x61\x72\x64s\x70\x71" . '"]="' .
"va\x6cu\x65" . '";<br>';
// = $GLOBALS['yardspq'] = 'value';
var_dump(${"\x47\x4c\x4f\x42\x41\x4cS"});
?>
solution2
4 2011-11-05 13:38:57
Just replace all occurrences of \\xNN with chr(NN) . For example:
$source = file_get_contents('obfuscated_source.php');
if (preg_match_all('/\\x(..)/', $source, $matches)) {
for ($i = 0, $len = count($matches[0]); $i < $len; ++$i) {
$source = str_replace($matches[0][$i], chr(hexdec($matches[1][$i])), $source);
}
}
file_put_contents('source.php', $source);
solution3
2 2011-11-05 13:36:46
Simply make it print out the plain strings, like:
<pre><?php
//${"\x47\x4c\x4f\x42\x41\x4cS"}["y\x61\x72\x64s\x70\x71"]="va\x6cu\x65";
print_r(
array(
"\x47\x4c\x4f\x42\x41\x4cS",
"y\x61\x72\x64s\x70\x71",
"va\x6cu\x65",
)
);
?></pre>
To me, it resulted in:
$GLOBALS["yardspq"]="value";
solution4
0 2016-09-21 18:01:51
I would use PHP de-obfuscators (reverse PHP encoding processors)...
Searching for "PHP deobfuscator" you may find many, the list grows as it is becoming common to find such in injected files from hacked websites.
Such injections are usually mass processed, so it may be possible to find solutions by experts for most cases.
solution5
0 2011-11-05 13:30:41
I don't think there is any script that "clean" an obfuscated code.
For your commnent, that line is "equal" to something like
$array["key"] = 'value';
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.